The Transition of a University to edu-ID

In 2017, seven universites have started planning their adoption of SWITCH edu-ID. Together with the edu-ID project team each university organized 2-4 workshops to elaborate an individual integration concept and to determine a time schedule for the transition.

It was no surprise to see that the IT landscape and identity management (IdM) processes of the universities are fairly different. Based on the workshops we were however able to identify and document a few major categories which may serve as source of ideas for other universities.

Continue reading “The Transition of a University to edu-ID”

SWITCH adopts edu-ID

Wait!? We all know that SWITCH develops edu-ID – so what does adopting edu-ID mean?

It is true that SWITCH as the operator of the AAI federation develops edu-ID. On the other hand, the organization SWITCH with its IdP is also a SWITCHaai Home Organization in the AAI federation. In this post we will describe how the organization SWITCH integrated edu-ID, allowing it to turn off its own IdP.

Continue reading “SWITCH adopts edu-ID”

Authentication for Windows services using SWITCH edu-ID?

Are you running a Microsoft Windows Service (e.g. Sharepoint) with non-public content connected to your organisational Active Directory (AD)? Do you want to make content available to specific external users, e.g. users with a SWITCH edu-ID? This article is for you.

While Windows Authentication remains based on Active Directory Servers, the gap between the Windows and the Shibboleth world has become bridgeable, thanks to new features in ADFS 2016.

Imagine yourself running some Microsoft Windows service such as a Sharepoint instance. You probably need to configure external authentication. This is, and always was, straightforward if you can attach Active Directory Servers to the Sharepoint instance. However, it used to turn out a bit more cumbersome if you wanted to base your external authentication on a non-Windows service like e.g. a Shibboleth IdP[1]. In short, supporting regular SWITCHaai was difficult for Windows services.

Thankfully, this has changed. ADFS 4.0, being a part of Windows Server 2016 has improved interoperability with SAML 2.0, which allows for use of a Shibboleth IdP when serving authentication requests from Windows services.

Peter M. Studer, one of the Identity Management (IdM) specialists at the University of Bern, has recently posted a blog (in German), which explains in detail how to deploy an ADFS server as a proxy to an IdP within SWITCHaai, in particular as a proxy to the SWITCH edu-ID IdP.

We find this step-by-step tutorial extremely helpful and will set up an appropriate proof of concept locally. This may be a first step towards integration of SWITCH edu-ID authentication for Windows services. If you are interested in learning more about the proof of concept, please contact us!

[1] IdP: Identity Provider

P.S.: There’s – at least – one more thing that has to be sorted out before such an idea can go into production: the metadata signature check. Any resource in a federation needs to properly link into the trust chain, something which is well prepared for resources based on Shibboleth software, but can be hard for others – yet.

SWITCH edu-ID Now Speaks Italian

The user interface to create and manage a SWITCH edu-ID account was originally available in English. It was translated to French and German half a year ago.

We are happy to announce that the Italian translation of the user interface is ready and can be used as of today.

Together with the Italian user interface we have also translated and released the SWITCH edu-ID terms of use in French, German and Italian.

If you have comments or suggestions for translation enhancements please don’t hesitate to contact us.

Advanced Access Management with SWITCH edu-ID

The SWITCH aai identity federation is based on one important concept: The separation of identity management (IdM) and access management (AM). Identity providers are trusted sources of a set of well defined attributes. For each user trying to access a service, the service itself decides based on his/her attributes if access to the service is granted or denied.

shared-attributes-basic

The identity provider in its purest form only manages general user information like name, age, email address, membership status at a university etc. This information is general and not specific to services. The service specific part is the way how attribute information can be combined by a service to build complex access rules like: “This service accepts math students and staff members”.

What if a group of services needs to share additional information about a user that is not part of the standard attribute set? For this case SWITCH has developed the shared attribute service for the edu-ID.

shared-attributes-extension

The shared attribute service consists of a database where additional attributes can be stored for each SWITCH edu-ID user. The contents of this database are not managed by the SWITCH edu-ID Identity Provider. Some external entities can access to the shared attributes database via an API, and set or delete attribute values for selected edu-ID users. When a user accesses to a service provider the shared attribute for that user is added to the standard attributes and sent to the service.

What effectively happens with shared attributes is that one part of AM (the part that is common to a group of services) is extracted from the services and centralized

First application: National Licences

The first application to use shared attributes is the National Licenses service. In the context of the national licenses some publishers grant access to users who satisfy a complex access rule. The user has to be a Swiss citizen, has to accept specific terms, must have been active during the last year and must not be blocked due to service abuse.

shared-attributes-natlic

A specially developed national licenses service registration platform checks if a user meets all the requirements of a user. If the user does meet the requirements, the flag national-license-compliant is set in the shared attributes database for that user. Consequently, services participating in the national licenses program get the additional attribute and grant access to licensed publications.

If a user does not meet all requirements, the national-license-compliant flag is removed. The user gets an explanation on the registration service and some indications how he or she could re-gain access to the national licenses program.

Note: The shared attributes service has been developed by SWITCH to solve a specific problem and to gain experiences with the concept. It is possible that the service will be replaced in the future by a more general group management service.

Verify your Private Postal Address

The Swiss edu-ID is a user-centric identity. This means that the identity is managed by its owner who directly provides many pieces of identity information in the personal profile.

But can a user be trusted? Will users provide correct personal information for their Swiss edu-ID?

Although users rarely have a interest in providing wrong personal information about themselves, the answer to the above question is no. For this reason, Swiss edu-ID has implemented various processes to verify user information. All email addresses and mobile phone numbers are directly verified when a user enters them in the personal profile.

As of today, users also can have their private postal address verified.

Unverified addresses are marked by a grey verification icon with red question mark

Screen Shot 2016-09-01 at 13.37.30.png

Klicking the green arrow starts the verification process. A few days later, the user will receive a letter (yes – a real one on paper!) at the specified postal address with an activation code. After the user has entered the code in the Swiss edu-ID profile the address is verified. This is reflected with a golden verification icon in the profile

Screen Shot 2016-09-01 at 13.42.31.png

The first service relying on this new feature is the  National Licenses project of the Consortium of Swiss Academic Libraries. Their aim is to give private individuals access to scientific publications. The publishers of scientific publications require some sort of proof of a user, that he/she is living in Switzerland. By relying on the verifications done within the Swiss edu-ID the national licenses service does not have to implement its own verification processes.

Save

Final Report on Market Analysis of IdM Solutions

In SWITCHaai, identity management is entirely the responsibility of the organisations participating as identity providers in the federation. With its successor, the Swiss edu-ID, elements of identity management tasks will be performed by SWITCH. SWITCH has conducted a market analysis (RFI) with the aim to identify existing identity management products that fit the Swiss edu-ID requirements, to evaluate these products, and to make a recommendation on the next steps in the project.

Continue reading “Final Report on Market Analysis of IdM Solutions”

Trust in federated AAI: with a particular attention to SWITCHaai

SWITCHaai has a long and successful history in enabling access to hundreds of mainly academic web resources by reusing the authentication mechanisms at the heart of participating organisations.

When joining the SWITCHaai team a couple of years ago, I noticed two things about trust: a) it was just there, and b) no one talked about it. “Trust is established when no one talks about it anymore” someone said. It made me wonder how such a unique construction could be there and just work. There must have been many detailed questions that had to be resolved to get to that point! My curiosity was piqued, so, I started delving into this fascinating topic. How come all of these many service providers, identity providers, end users, organisations and federation partners, commercial or not, just do what the others would expect from them and don’t break trust?

Let’s start with an overview of the roles within an identity federation and their particular expectations towards each other and the federation as a whole. Continue reading “Trust in federated AAI: with a particular attention to SWITCHaai”

Swiss edu-ID Detailed Architecture available now

The Swiss edu-ID Team is happy to announce the first revision of the Swiss edu-ID detailed architecture. It is a thorough description of the Swiss edu-ID federation, its participants and their roles, the information architecture, data models and identity management processes.

The architecture was developed based on the output of Swiss edu-ID working groups, the Swiss edu-ID high level architecture, and numerous presentations and follow-up discussions with university members during the past years. On this occasion we would like to express our gratitude for the great effort and support in our community!

The draft of the architecture document was reviewed by the Processes II Workgroup, subscribers of the Swiss edu-ID newsletter and external identity management experts. Of course, comments are still welcome at any time.

The document (direct PDF link) can be downloaded from the document section of the Swiss edu-ID website.

eduKEEP: Promoting the Swiss edu-ID Concept Internationally

With the Swiss edu-ID SWITCH will introduce many new features and enhancements to the already well established SWITCHaai service. However, one aspect is not just an improvement, but rather a paradigm shift: the change from organisation-centric to user-centric identity management.

Continue reading “eduKEEP: Promoting the Swiss edu-ID Concept Internationally”

Could ORCID iD replace the Swiss edu-ID?

Before I bluntly say ‘no!’, let me try to explain why the question arises at all (and why it is reasonable to ask it).

The term ORCID ID actually refers to many things. Technically, it is 1) a unique identifier, 2) a login with a username and password and 3) personal attributes associated with the unique identifier. While I initially thought that the ORCID iD was only an identifier, it turned out that the ORCID community has built an extensive set of additional services over the last few years. Continue reading “Could ORCID iD replace the Swiss edu-ID?”

Testing Alternatives to Shibboleth

The technical functions of a Swiss edu-ID service consist of two main building blocks: access management (AM) and identity management (IdM). Within the SWITCHaai federation, the core of the AM functionalities are provided by Shibboleth, while the IdM-processes are implemented at the universities with a variety of products.

While it is clear that the Swiss edu-ID has to be compatible with SWITCHaai, it is basically an open question on what product stack it should be based. Between November 2014 and January 2015 SWITCH conducted a request for information (RFI) to get an overview of the current AM (and partly IdM) products on the market. In the RFI it turned out, that both Shibboleth and Forgerock/OpenAM are valid candidates to build the AM functions of the Swiss edu-ID framework. Continue reading “Testing Alternatives to Shibboleth”

Launch of the Swiss edu-ID for SWITCHportfolio

The e-portfolio service SWITCHportfolio is now officially supporting the Swiss edu-ID.

With the Swiss edu-ID a user can maintain a personal e-portfolio in SWITCHportfolio even without affiliation as student or staff at a university. This feature is particularly useful for students who have created an extensive e-portfolio during their studies and who are soon going to leave the university. By transferring their portfolio to the alumni-environment on SWITCHportfolio, users can continue to maintain it long after they have left the university.

For more information on how the transfer from a student-portfolio to an alumni-portfolio is best organized please contact the SWITCHportfolio service team.