The edu-ID is a user-centric system in which users generally manage their account data themselves. And yet, some data relates to and is thus asserted by organisations like universities. Therefore, the edu-ID system provides several APIs for organisations so that they can manage data about users they are authoritative for. A new way to manage this data is the edu-ID administration interface for organisations, which is presented in this blog post.
A representative from a larger higher education organisation in Switzerland recently stated that they identify roughly 40 compromised user accounts on average per month. Extrapolating this number for all Swiss AAI users, this number would grow to more than 1’000 compromised accounts per month. Many of them are probably not even detected. Many of them probably belong to young students who may not always take proper care of their credentials. But every now and then, also staff members and professors learn about the nightmares of impersonation of their digital identity. So, how can edu-ID support SWITCHaai services to enhance authentication security? Continue reading
Have you ever invited professional burglars to break into your home to steal your valuables? For the edu-ID service we have done exactly that, and we even paid for it. The valuables in our case is identity data from all edu-ID users. However, the “professional burglars” were actually very kind, professional and skilled security experts from Compass Security.
As a child of the 80’s, of course I have seen the movie “Highlander”. In our “clone wars” (referencing Star Wars) against edu-ID duplicate accounts, I therefore remember the famous high lander quote “there can be only one”. Slightly adapted, this quote fits: “There can be only one edu-ID account per person”. Thanks to the automatic merging process described in this article, we now have the weapon in our hands to reach this goal.
Duplicate user accounts on a single system are sooner or later causing a nightmare. One ambition of the SWITCH edu-ID has always been the prevention of duplicate user accounts. However, only a few weeks after the edu-ID launch in 2015 we already found indications for a couple of duplicate accounts. How did that come about and what can we do to prevent duplicate accounts?
In a previous blog post we presented how AAI Service Provider (SP) administrators can customize the edu-ID registration and login pages individually for their service. However, an SP administrator can not only brand the edu-ID pages with a custom logo or custom text but he can also influence the process itself used when users register, login or when they complete their account data. Examples of such process modifications are:
- To send a user automatically to a specific URL after registration or login
- To make a user first provide a specific verified or unverified attribute (e.g. mobile number or home postal address) and then send him back to the service
Both of these example scenarios have been used for instance by the Swissbib service for several months. Swissbib users sometimes have to provide a verified mobile number and/or postal address before they get access to national license content, which – by agreement – should be only available to residents of Switzerland.
So, how can an AAI SP administrator customize the edu-ID processes to implement the above and more scenarios? All that is needed is to send the user on the right path, or rather to the right URL. For all those not wanting to get familiar with the technical details of how these URLs have to be composed to achieve a certain process change, we have created a useful tool that makes the URL generation very easy: The edu-ID Login Link Composer.
The edu-ID Login Link Composer consists of a form with several inputs that are used to generate a link which triggers the requested behaviour. The user then just has to be sent to the generated URL to start the process.
Try out the edu-ID Login Link Composer with your own AAI service.
How to ensure that only staff members of my group in my organisation can access team documents via the web and only if they are connected via the organisation’s office network? And how to implement this without writing code? Thanks to Apache, Shibboleth and a SAML-based federation like SWITCHaai, these not so uncommon real life requirements are easy to implement. At least, once one has understood how user attributes can be used for access control. This blog entry demonstrates how to create such access control rules. Continue reading