Will the up and coming OpenID Connect (OIDC) displace the established Security Assertion Markup Language (SAML)? In some domains, it already has, thanks to the wide availability of implementations for many programming languages. It also offers an easy solution for delegating access to protected resources, something that is possible with SAML but more difficult to realise, and is a typical use case for mobile applications today. However, OIDC has no concept of a “federation”, i.e. a private group of entities who trust each other, and that is a big drawback to adoption in a federated context like research and education. In this article, we will look into a few initiatives that seek to bridge the gap between the two realms. Continue reading “OpenID Connect meets SAML and Shibboleth”
Author: Switch edu-ID
AAI & Swiss edu-ID Update 2016
Save the Date: Thursday 30 June 2016
This year the joint update event of SWITCHaai & Swiss edu-ID will take place for the third time – this year a little bit earlier – already dated June 30, as ever in Berne.
Note the date in your agenda for this all-day event where you will get up-to-date information about SWITCHaai, Swiss edu-ID version 2.0 and migration scenarios, as well as having opportunities for exchange with IdM/IAM specialists and service responsibles of other institutions.
Registration information follows later in this blog, AAI mailinglists and the Swiss edu-ID newsletter (swit.ch/swisseduid-announce).
Bye-bye Guest IdP – Welcome Swiss edu-ID
Since February 2012, SWITCH has operated the Guest Login Identity Provider (Guest IdP), which allowed users without a regular AAI account to access certain services. The Guest IdP has also allowed what was otherwise not possible with SWITCHaai: a quick and easy self-registration to access AAI services.
10 Years SWITCHaai
In autumn 2005, SWITCH launched the production service for the SWITCHaai federation. Now more than 400’000 users from 60 institutions have a SWITCHaai enabled account that allows them to access their choice of more than 800 SWITCHaai enabled services.
New SWITCH story “Exercising caution when processing personal data”
Swiss edu-ID is widely based on SWITCHaai, but there are some fundamental differences to take into account since a Swiss edu-ID is a persistent and user-centered identity. What impact this has on data protection and processing issues is discussed in this new article.
You find Legal and Data Protection Questions also answered in our FAQ section.
New SWITCH story “Who is liable for the Swiss edu-ID?”
What happens if a Swiss edu-ID account is misused? And if the information used to verify a person’s authorisation proves to have been wrong who is then liable – the service operator, the user or the source of the attribute? Where is the Code of Obligations applicable? Read more about these legal questions in this new SWITCH story.
eID for Switzerland is on the road
Imagine you get a Swiss electronic identity. What should it look like?
Fedpol asked the Swiss edu-ID team to comment on their concept of a federal eID.
A starting point
In Sweden more than 50% of citizens already have an eID – an identity originally issued by the private sector (as banks) and developed further towards a standardised identity assertion and a more federated approach. Meanwhile, in Switzerland the foundation for a federal electronic identity will now be laid by presenting an eID concept to the Federal Council and then by starting the process to implement it in law.
As e-identities are widely used in Switzerland and also issued by several organisations (SuisseID, MobileID, Swiss edu-ID etc.), in May 2015 the Federal Office of Police (fedpol) started a consultation about the proposed eID concept. SWITCH provided our statement among a group of 68 companies and institutions with expertise in Identity Management. Now the interpretation of the answers and conclusions are available.
New SWITCH story “Bringing order to the world of avatars”
Why do we need a Swiss edu-ID even though we already have SWITCHaai and why does a user-centered approach make sense? Read more in this new SWITCH story.
Keep your e-portfolio with Swiss edu-ID
An e-portfolio is often a high investment in time and effort. It’s the proof of a students study progress over the years (learning portfolio), a collection of knowledge, files and links, or perhaps a career portfolio containing all information and documents relevant for the CV.
Now it’s possible to keep and further develop an e-portfolio after studies with a Swiss edu-ID. Once the Swiss edu-ID is linked to a valid AAI identity a user will be able to migrate his/her e-portfolio to SWITCHportfolio (if LEAP2A compatible) and to access it also in the future with his/her Swiss edu-ID.
AAI & Swiss edu-ID Update Event
Thursday 13 August 2015, Berne
Would you like to know more about the SWITCHaai current state, IdP Clustering, MFA and eduGAIN, or more about how Swiss edu-ID progresses, outcomes, next steps and what pilots are on the way?
Then we would like to invite you to this event with an AAI Update in the morning (10:15 – 12:00)
- SWITCHaai Status Update
- IdP Clustering
- Multi-factor Authentication and Shibboleth IdPv3
- SP Reverse Proxy Server at ZHAW
- How the SAMLtrace Firefox add-on can be useful
- eduGAIN: An Opportunity for Research Collaborations
- eduGAIN Access Check (also a topic of interest for SWITCHaai?)
followed by a Swiss edu-ID Update in the afternoon (13:15 – 16:15) to inform and discuss about
- The future of AAI and Swiss edu-ID; Outlook to Swiss edu-ID 2.0
- Results from the working groups and call for new working groups
- Swiss edu-ID 1.0: Status
- Pilot Projects Overview
- Adoption of OAuth2, OpenID Connect in the Swiss edu-ID.
Business & Governance Model Reports
The final reports of the Business Model and Governance Model Working Groups are available
The Business Model Report describes relevant information and methods to be used for the Business Model as
- general assumptions
- IdM market analysis
- identification of stakeholders
- general quantity structures
- description of the value proposition for different stakeholders
- potential risks
- outlining of financing options.
Recommendations for the Swiss edu-ID Business Model elaboration and refining:
- New user groups: increase the user base and number of provided resources are fundamental for success (doubling of user numbers within the next 3 years)
- Costs: not charge users. A cost-sharing model has to bee agreed with Universities. Third party Service Providers can help to reach a better financing of the service.
- Transition phase: as early and short as possible in order to limit costs of parallel operation
- Roadmap: include information about the revenue streams that might shift over the three stages (1: AAI in parallel; 2: AAI replaces; 3: access for additional external services)
Next steps:
- develop adoption and coinnovation risk maps and a stakeholder risk matrix
- define appropriate actions and assign to a person or group with a deadline to reduce identified risks
- describe concrete financing options (including numbers)
The Governance Model Report describes
- existing governance structure for SWITCH and SWITCHaai
- new stakeholder groups that may become part of the governance structure
- how those stakeholder groups could be involved.
Recommendations:
- use SWITCHaai Governance Model as far as possible and extend it in order to include new stakeholder groups (Continuing Education, University Administration, Alumni-Organisations, third party Service Providers)
- involve more topical/stakeholder/working groups (scalability), approach potential stakeholders early and give them a formal “seat” in a committee
- continue work of Processes working group
- address business side in continuing education
Next steps:
- develop joint roadmap for AAI and Swiss edu-ID
- elaborate communication concept
- involve new stakeholders in Governance structures
Final Report of the Mobile App Support Working Group is available
The working group “Mobile App Support” has completed its final report.
The aims were to describe requirements of institutions/users, discuss ideas for better mobile support, evaluate existing solutions and options for pilot projects.
The report describes relevant mobile applications used/developed at the participating institutions, mentions possible benefits for mobile applications using Swiss edu-ID, identifies common mobile frameworks, lists general requirements and possible pilot candidates for Swiss edu-ID.
Support of mobile applications is a must but not a high priority on the roadmap of the Swiss edu-ID project. Only few applications could be identified as valuable pilots since many of the used mobile applications do not need authentication or have already realized local authentication solutions.
Some institutions focus on web applications that can be AAI-enabled, given that resources and expertise for native application development may be limited.
Most promising idea for a pilot is the one of a broker/authentication application supporting authentication for several mobile applications via Swiss edu-ID (comparable to social logins like Twitter accounts beeing used by other applications to authenticate users). An authentication app could also be used to authenticate at the same time against a mobile application and its server part (e.g. Moodle Mobile application and Moodle web server).
Those options will be investigated further by the eduhub Special Interest Group Mobile Learning.
Final Report of the Processes Working Group is available
The working group “Processes” has completed its final report (public version).
The aims were to describe IdM related processes in detail, to describe interfaces and to identify pilot applications for the Swiss edu-ID.
Chapter 1: working group (members of ETHZ, FHNW, UNIBAS, UNIBE, UNIFR, UNIGE, UNIL, UZH, ZB have participated) and its goals.
Chapter 2: outcomes as IdM challenges, current institutional IdM environments, pilot options at institutions, expectations, requirements for Swiss edu-ID, risks, recommendations for the development and legal framework implications.
Chapter 3: institutional reports (not publicly available; only distributed to members of the SWITCH community on request).
We can briefly summarize the outcome of the WG as follows:
- Current systems at institutions are very robust but sometimes also heterogeneous.
Every institutional system landscape is unique. In common is the use of Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). - The following features should be implemented as soon as possible:
- Interfaces/API for integration of Swiss edu-ID into existing local applications (e.g. Self-registration)
- Verification of identity (support of different assurance/trust levels)
- Identification of inactive users
- Support attribution of access rights (with specific attributes -> basic roles)
- Duplicate checks etc. to grant Uniqueness of Identity
- Put legal framework and governance model (including audits) in place
- Binding rules & process for changes of core attributes (as name, based on role)
- Validation rules (accepted and controlled)
- Attribute history (time-stamps already implemented)
- Pilot options have been detected for
- self-registration processes (future students, guests, continuing education participants)
- access to applications for former institutional members (e.g. e-portfolio, SWITCHdrive, career center or Alumni organization services),
- additional verification of identities/use of trust levels (libraries)
- also pilot ideas for tests with Attribute Authorities within the new infrastructure and handling of new attributes (e.g. diploma information, learning batches etc.) should be developed further.
Call for Participation in Swiss edu-ID Working Groups
We invite members of Swiss Higher Education institutions, libraries and research institutions to participate in the project by contributing to one of these groups with their expertise and practical know-how:
- Processes
- Regulations
- ORCID
- Mobile App Support
- Governance Model
- Business Model
Description of working groups (member profiles, goals, workload, approach)
Please contact us until end of August 2014 latest and let us know for what working group with an open call you would volunteer
(or to propose a person having the necessary experience for one of the groups)
Next events wih presentations of the Swiss edu-ID:
- Aug. 13: AAI TechUpdate & Swiss edu-ID Introduction
- Sept. 11: Project update at UNIL
- Sept. 25: Project update at UNIBE