The TLS protocol secures the communication between a user’s web browser and a server running a web application. The user recognises a secured communication by the lock visualised in the web browser or the https prefix in a link. The security protocols TLSv1.0 and TLSv1.1 are outdated and no longer rated as secure. Therefore, web server administrators should plan to properly protect their services by updating their web server configuration to require at least TLSv1.2. To apply this security improvement to SWITCHaai including SWITCH edu-ID, SWITCH announces the upgrade in two phases.
Right at the start of the year on 8 January 2020, the Zurich University of the Arts (ZHdK) switched over to SWITCH edu-ID.
Smooth changeover thanks to good preparation and a high ‘linking’ success rate
Technically, everything was threaded perfectly and the changeover of the IdP went off without a hitch. After initialization and planning in 2018, the work could be started at the beginning of 2019 with the development of the connector, followed by the setup of the linking service and the migration of the IdP. The fact that everything went so smoothly was partly due to the fact that a large number of users had linked their accounts in time for the migration:
The communication measures were very successful with all target groups.
These consisted of a post in the Rectorate newsletter, a poster at the helpdesk, multiple e-mails sent to people without a linked account (maximum of three follow-ups and a final e-mail to users of the three most frequently used services), a message in the Rectorate newsletter shortly before the changeover, and detailed instructions on how to create and link the edu-ID account. E-mails were sent to the different groups of people in astaggered manner. This meant that support before and after the changeover to SWITCH edu-ID was uncomplicated and that the work involved was predictable and manageable.
FHNW e-media offering for teachers uses Shared Attribute API
In principle open
Openness is one of the promises made by SWITCH edu-ID. In recent years, universities have increasingly opened up to additional user groups such as continuing education students or MOOC participants. Cooperation with external parties is becoming increasingly important overall, be it with other universities, research institutions or partners from the private sector. Academic institutions are expanding their offerings, and not every person who makes use of university services has to become an official member of the university.
But that’s why you let everyone in?
However, most service providers do not simply want to blindly trust a self-declared identity that users bring with them (i.e. a “naked” edu-ID).
There are many reasons why one wants to protect applications and content from unauthorized access, e.g. to prevent data theft or manipulation or to comply with data protection or license regulations. And if abuse has taken place despite all precautions, one wants to be able to find out who one can hold liable for damages. Of course, this can be difficult with unchecked identities, even if the majority of users behave correctly and have provided the correct personal data for their digital identity. So is this a reason not to trust edu-ID identities? Continue reading “NOT for university members only”
SWITCH invites you on Wed, 15 May 2019 to the 2nd Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event in Berne.
Registration is open until Tue, 7. May 2019 and required for logistical reasons.
Refer to the registration page for the draft agenda and schedule.
A longer section of the event is dedicated to SWITCH edu-ID. The heads of IT of University of Lucerne and Distance University will talk about their adoption experience.
Administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators and all persons involved in (future) planning and adoption of SWITCH edu-ID are invited to participate.
On 6 March 2019, Distance University became the second university to switch to SWITCH edu-ID for authentication and access to its services. Here is an extract from their experience:
IT as a driving force
The project was primarily carried out by the IT department – supported by Marketing. All information had to be written in German and French. Student managers, who act as the first contact persons for teachers and students, were trained in advance by IT.
It took about 1.5 years from the initial discussions with SWITCH to the completion of the project. Distance University IT spent in total one man-month developing and testing the technical implementation. In addition, project management and communication were particularly time-consuming.
A representative from a larger higher education organisation in Switzerland recently stated that they identify roughly 40 compromised user accounts on average per month. Extrapolating this number for all Swiss AAI users, this number would grow to more than 1’000 compromised accounts per month. Many of them are probably not even detected. Many of them probably belong to young students who may not always take proper care of their credentials. But every now and then, also staff members and professors learn about the nightmares of impersonation of their digital identity. So, how can edu-ID support SWITCHaai services to enhance authentication security? Continue reading “Two or More Factors for edu-ID”
As a child of the 80’s, of course I have seen the movie “Highlander”. In our “clone wars” (referencing Star Wars) against edu-ID duplicate accounts, I therefore remember the famous high lander quote “there can be only one”. Slightly adapted, this quote fits: “There can be only one edu-ID account per person”. Thanks to the automatic merging process described in this article, we now have the weapon in our hands to reach this goal.
To send a user automatically to a specific URL after registration or login
To make a user first provide a specific verified or unverified attribute (e.g. mobile number or home postal address) and then send him back to the service
Both of these example scenarios have been used for instance by the Swissbib service for several months. Swissbib users sometimes have to provide a verified mobile number and/or postal address before they get access to national license content, which – by agreement – should be only available to residents of Switzerland.
So, how can an AAI SP administrator customize the edu-ID processes to implement the above and more scenarios? All that is needed is to send the user on the right path, or rather to the right URL. For all those not wanting to get familiar with the technical details of how these URLs have to be composed to achieve a certain process change, we have created a useful tool that makes the URL generation very easy: The edu-ID Login Link Composer.
The edu-ID Login Link Composer consists of a form with several inputs that are used to generate a link which triggers the requested behaviour. The user then just has to be sent to the generated URL to start the process.
How to ensure that only staff members of my group in my organisation can access team documents via the web and only if they are connected via the organisation’s office network? And how to implement this without writing code? Thanks to Apache, Shibboleth and a SAML-based federation like SWITCHaai, these not so uncommon real life requirements are easy to implement. At least, once one has understood how user attributes can be used for access control. This blog entry demonstrates how to create such access control rules. Continue reading “Apache Access Control Reloaded”
Have you ever wanted to show the organisation name of an authenticated AAI user in the web application protected by a Shibboleth Service Provider? For example on an event registration web page in order to see from which organisations users registered or – like in the screenshot below – to show the authenticated user himself with which – of potentially many – AAI account he has logged in?
“Why isn’t it possible to easily identify all log messages belonging to particular user that authenticated at a Shibboleth Identity Provider?” This question was asked at the SWITCH Shibboleth Training in June 2015. Many other Shibboleth Identity Provider (IdP) administrators acknowledged they miss such a useful feature too. It would make debugging Shibboleth login issues easier since parallel user logins at the IdP result in many log entries that become a challenge to analyze. By default, the IdP does not provide enough log information to identify all related log entries for a particular login attempt.
The answer to this question is: This is possible! It’s in Shibboleth already and it’s easy to use but it is a bit hidden. There are two key ingredients needed to activate this.