For more than 15 years, the SWITCHaai federation was entirely based on the SAML protocol. SWITCH is happy to announce that as of March 1st 2021 the edu-ID identity provider (IdP) officially also supports OpenID Connect.
Anyone wishing to begin studying human medicine, dentistry, veterinary medicine or chiropractic must register online with swissuniversities.
Since this year, authentication is exclusively done with SWITCH edu-ID on the Medon registration platform. Thus Medon uses a unique feature that was introduced with edu-ID in the Swiss AAI federation: anyone can create an edu-ID account and use it in the context of academic services.
On February 1st 2019 the University of Lucerne has made a big step. It is the first university that has completely switched over to the SWITCH edu-ID. All their roughly 4000 members use now their own secure, long-lived and user-centric SWITCH edu-ID account to access services relevant to the Swiss academic community.
The introduction of the edu-ID heralds a paradigm change in identity management for Swiss higher education. Users are getting more control over their personal data whereas universities can optimize their identity management processes. Fortunately, despite the fundamental architectural change, the impact on users is moderate.
“The migration to SWITCH edu-ID on 1 February 2019 went smoothly. Smaller problems after the migration were solved very quickly by SWITCH. Despite some obstacles in the course of the project, SWITCH provided us with competent support and assistance at all times.”
Marco Antonini, Head of IT
The first preliminary talks between University of Lucerne and SWITCH on edu-ID were held in September 2017. The idea behind the SWITCH edu-ID and, above all, the opportunities it offers in the future convinced the university right from the start. So they decided to change over relatively early. An important prerequisite, central user administration, was already in place, so that the concrete planning could be started.
As integration approach linking at registration was chosen for new students, and linking after admission for current members and future staff. With the integration of edu-ID in the organisational IT and the equipment of all members with an edu-ID identity the university has reached an important milestone. In a second step, further groups will be adressed namely alumni, auditors and further education students.
As the first organisation that completely changes over to SWITCH edu-ID, the university of Lucerne writes history. It can be rightfully proud of this achievement!
As a university member you usually have a unique role – you are either student, or teacher, or staff. In not so rare cases, however, a person has several roles at the same time, e.g. as a student and employee. How do universities deal with this situation today in SWITCHaai, and how is it covered in SWITCH edu-ID?
In 2017, seven universites have started planning their adoption of SWITCH edu-ID. Together with the edu-ID project team each university organized 2-4 workshops to elaborate an individual integration concept and to determine a time schedule for the transition.
It was no surprise to see that the IT landscape and identity management (IdM) processes of the universities are fairly different. Based on the workshops we were however able to identify and document a few major categories which may serve as source of ideas for other universities.
Wait!? We all know that SWITCH develops edu-ID – so what does adopting edu-ID mean?
It is true that SWITCH as the operator of the AAI federation develops edu-ID. On the other hand, the organization SWITCH with its IdP is also a SWITCHaai Home Organization in the AAI federation. In this post we will describe how the organization SWITCH integrated edu-ID, allowing it to turn off its own IdP.
The user interface to create and manage a SWITCH edu-ID account was originally available in English. It was translated to French and German half a year ago.
We are happy to announce that the Italian translation of the user interface is ready and can be used as of today.
If you have comments or suggestions for translation enhancements please don’t hesitate to contact us.
The SWITCH aai identity federation is based on one important concept: The separation of identity management (IdM) and access management (AM). Identity providers are trusted sources of a set of well defined attributes. For each user trying to access a service, the service itself decides based on his/her attributes if access to the service is granted or denied.
The identity provider in its purest form only manages general user information like name, age, email address, membership status at a university etc. This information is general and not specific to services. The service specific part is the way how attribute information can be combined by a service to build complex access rules like: “This service accepts math students and staff members”.
What if a group of services needs to share additional information about a user that is not part of the standard attribute set? For this case SWITCH has developed the shared attribute service for the edu-ID.
The shared attribute service consists of a database where additional attributes can be stored for each SWITCH edu-ID user. The contents of this database are not managed by the SWITCH edu-ID Identity Provider. Some external entities can access to the shared attributes database via an API, and set or delete attribute values for selected edu-ID users. When a user accesses to a service provider the shared attribute for that user is added to the standard attributes and sent to the service.
What effectively happens with shared attributes is that one part of AM (the part that is common to a group of services) is extracted from the services and centralized
First application: National Licences
The first application to use shared attributes is the National Licenses service. In the context of the national licenses some publishers grant access to users who satisfy a complex access rule. The user has to be a Swiss citizen, has to accept specific terms, must have been active during the last year and must not be blocked due to service abuse.
A specially developed national licenses service registration platform checks if a user meets all the requirements of a user. If the user does meet the requirements, the flag national-license-compliant is set in the shared attributes database for that user. Consequently, services participating in the national licenses program get the additional attribute and grant access to licensed publications.
If a user does not meet all requirements, the national-license-compliant flag is removed. The user gets an explanation on the registration service and some indications how he or she could re-gain access to the national licenses program.
Note: The shared attributes service has been developed by SWITCH to solve a specific problem and to gain experiences with the concept. It is possible that the service will be replaced in the future by a more general group management service.
Services use SWITCH edu-ID as authentication mechanism for their users. Universities use SWITCH edu-ID to onboard new students or staff members. Branding is a great new feature to integrate the SWITCH edu-ID into services and to improve the user experience.
The Swiss edu-ID is a user-centric identity. This means that the identity is managed by its owner who directly provides many pieces of identity information in the personal profile.
But can a user be trusted? Will users provide correct personal information for their Swiss edu-ID?
Although users rarely have a interest in providing wrong personal information about themselves, the answer to the above question is no. For this reason, Swiss edu-ID has implemented various processes to verify user information. All email addresses and mobile phone numbers are directly verified when a user enters them in the personal profile.
As of today, users also can have their private postal address verified.
Unverified addresses are marked by a grey verification icon with red question mark
Klicking the green arrow starts the verification process. A few days later, the user will receive a letter (yes – a real one on paper!) at the specified postal address with an activation code. After the user has entered the code in the Swiss edu-ID profile the address is verified. This is reflected with a golden verification icon in the profile
The first service relying on this new feature is the National Licenses project of the Consortium of Swiss Academic Libraries. Their aim is to give private individuals access to scientific publications. The publishers of scientific publications require some sort of proof of a user, that he/she is living in Switzerland. By relying on the verifications done within the Swiss edu-ID the national licenses service does not have to implement its own verification processes.
In SWITCHaai, identity management is entirely the responsibility of the organisations participating as identity providers in the federation. With its successor, the Swiss edu-ID, elements of identity management tasks will be performed by SWITCH. SWITCH has conducted a market analysis (RFI) with the aim to identify existing identity management products that fit the Swiss edu-ID requirements, to evaluate these products, and to make a recommendation on the next steps in the project.
The Swiss edu-ID Team is happy to announce the first revision of the Swiss edu-ID detailed architecture. It is a thorough description of the Swiss edu-ID federation, its participants and their roles, the information architecture, data models and identity management processes.
The architecture was developed based on the output of Swiss edu-ID working groups, the Swiss edu-ID high level architecture, and numerous presentations and follow-up discussions with university members during the past years. On this occasion we would like to express our gratitude for the great effort and support in our community!
The draft of the architecture document was reviewed by the Processes II Workgroup, subscribers of the Swiss edu-ID newsletter and external identity management experts. Of course, comments are still welcome at any time.
With the Swiss edu-ID SWITCH will introduce many new features and enhancements to the already well established SWITCHaai service. However, one aspect is not just an improvement, but rather a paradigm shift: the change from organisation-centric to user-centric identity management.
This week, the project Swiss edu-ID mobile App was started with its kickoff meeting in Zurich. All involved participating institutions were represented: HTW Chur (project lead), USI, FHNW and SWITCH.