New simplified edu-ID integration for organizations available now

The integration of the edu-ID previously required the implementation of two small software components on the university side:

    1. the linking service with which the edu-ID account of a person is linked to the internal account at the university,
    2. and the attribute synchronization with which the university manages the affiliations in the edu-ID accounts.

A new integration method is now available that does not require the development and operation of software at the university.

The new integration method is based on the idea that a university member can be identified by their organization email address.

From a user’s point of view, the process is as follows:

    1. the person creates an edu-ID account (if she doesn’t already have one).
    2. the person goes to the account management on
    3. the person adds her personal university email address
    4. like every newly added email address, this one also has to be confirmed by the person. The edu-ID system sends a confirmation link by email, which has to be clicked on by the person.

eh voilà – the linking is completed!

Behind the scenes, here’s what happens.

The edu-ID account management keeps a list of email domain names for all organizations who are using the email-based linking method. If a newly added email address matches one of these domain names, the associated university is determined. In the next step, edu-ID queries for a user with that email address on the Attribute Provider API. If a user is found, an affiliation is added to the edu-ID account.

So the creation of the affiliation takes place immediately.

From then on, the edu-ID’s attribute aggregator will query the organization’s affiliation API daily to update or remove any affiliations.

The innovations include on the one hand the new email-based linking method. This linking method is always operated by SWITCH in the edu-ID account management.

On the other hand, the Attribute Provider API has been extended so that it can be operated entirely by SWITCH. If SWITCH is to host the AP-API, read-only access to the university’s directory is required. If the university does not want to grant direct access to the directory for regulatory reasons, it can also operate the AP-API itself.

This exciting new integration method has been implemented in tight collaboration with SFUVET and is now available to all interested organizations.

Leave a Reply