eID for Switzerland is on the road

Imagine you get a Swiss electronic identity. What should it look like?
Fedpol
asked the Swiss edu-ID team to comment on their concept of a federal eID.

A starting point
In Sweden more than 50% of citizens already have an eID – an identity originally issued by the private sector (as banks) and developed further towards a standardised identity assertion and a more federated approach. Meanwhile, in Switzerland the foundation for a federal electronic identity will now be laid by presenting an eID concept to the Federal Council and then by starting the process to implement it in law.

As e-identities are widely used in Switzerland and also issued by several organisations (SuisseID, MobileID, Swiss edu-ID etc.), in May 2015 the Federal Office of Police (fedpol) started a consultation about the proposed eID concept. SWITCH provided our statement among a group of 68 companies and institutions with expertise in Identity Management. Now the interpretation of the answers and conclusions are available.

Continue reading “eID for Switzerland is on the road”

New SWITCH story: “Empowering Swiss research”

The Swiss edu-ID project is partly funded through the funding programme P-2 of swissuniversities. The project manager of P-2, Roland Dietlicher, shares his views on the achievements and challenges of the funding programme P-2 in the latest SWITCH story. In doing that, he also covers the importance of the academic identity Swiss edu-ID to the success of the P-2 programme.

AAI & Swiss edu-ID Update Event

Thursday 13 August 2015, Berne

Would you like to know more about the SWITCHaai current state, IdP Clustering, MFA and eduGAIN, or more about how Swiss edu-ID progresses, outcomes, next steps and what pilots are on the way?
Then we would like to invite you to this event with an AAI Update in the morning (10:15 – 12:00)

  • SWITCHaai Status Update
  • IdP Clustering
  • Multi-factor Authentication and Shibboleth IdPv3
  • SP Reverse Proxy Server at ZHAW
  • How the SAMLtrace Firefox add-on can be useful
  • eduGAIN: An Opportunity for Research Collaborations
  • eduGAIN Access Check (also a topic of interest for SWITCHaai?)

followed by a Swiss edu-ID Update in the afternoon (13:15 – 16:15) to inform and discuss about

  • The future of AAI and Swiss edu-ID; Outlook to Swiss edu-ID 2.0
  • Results from the working groups and call for new working groups
  • Swiss edu-ID 1.0: Status
  • Pilot Projects Overview
  • Adoption of OAuth2, OpenID Connect in the Swiss edu-ID.

Details and registration

Business & Governance Model Reports

The final reports of the Business Model and Governance Model Working Groups are available

The Business Model Report describes relevant information and methods to be used for the Business Model as

  • general assumptions
  • IdM market analysis
  • identification of stakeholders
  • general quantity structures
  • description of the value proposition for different stakeholders
  • potential risks
  • outlining of financing options.

Recommendations for the Swiss edu-ID Business Model elaboration and refining:

  • New user groups: increase the user base and number of provided resources are fundamental for success (doubling of user numbers within the next 3 years)
  • Costs: not charge users. A cost-sharing model has to bee agreed with Universities. Third party Service Providers can help to reach a better financing of the service.
  • Transition phase: as early and short as possible in order to limit costs of parallel operation
  • Roadmap: include information about the revenue streams that might shift over the three stages (1: AAI in parallel; 2: AAI replaces; 3: access for additional external services)

Next steps:

  • develop adoption and coinnovation risk maps and a stakeholder risk matrix
  • define appropriate actions and assign to a person or group with a deadline to reduce identified risks
  • describe concrete financing options (including numbers)

The Governance Model Report describes

  • existing governance structure for SWITCH and SWITCHaai
  • new stakeholder groups that may become part of the governance structure
  • how those stakeholder groups could be involved.

Recommendations:

  • use SWITCHaai Governance Model as far as possible and extend it in order to include new stakeholder groups (Continuing Education, University Administration, Alumni-Organisations,  third party Service Providers)
  • involve more topical/stakeholder/working groups (scalability), approach potential stakeholders early and give them a formal “seat” in a committee
  • continue work of Processes working group
  • address business side in continuing education

Next steps:

  • develop joint roadmap for AAI and Swiss edu-ID
  • elaborate communication concept
  • involve new stakeholders in Governance structures

Swiss edu-ID Phase 2 Approved

The Swiss edu-ID project management is happy to announce that we received the approval for the Phase 2 project by swissuniversities (CUS P-2 program) ! The corresponding proposal was submitted in February 2015.

Main goals of Phase 2 (Aug. 2015 – Dec. 2016) are:

  • successful operation of Swiss edu-ID v1.0 and its use cases from phase 1
  • implementation of the Swiss edu-ID v2.0 service with new features
    • connect the Swiss edu-ID platform to institutions (enabling of attribute exchange with Attribute Authorities operated by universities)
    • support for authentication protocols beyond SAML allowing access to non-web resources
  • continuation of community involvement (working groups, events)

Project Abstract

New national services being developed within the frame of the CUS P-2 project will in almost all cases require reliable identity and access management (IAM). The Swiss edu-ID addresses that need, by providing a comprehensive IAM service framework to all relevant players: universities, individuals and service providers.

The SWITCHaai is a well-established IAM solution for the Swiss universities that places identity management under the responsibility of the participating universities and allows for effective resource sharing across organisational borders. However, this approach has several drawbacks:

  • University members with multiple roles or jobs are assigned multiple electronic identities, which need to be managed individually.
  • Individuals lose their electronic identity when they change role or affiliation and are unable to recover the same identity if it is needed at a later date.
  • Individuals collaborating with universities, but without a strong affiliation with one of those universities are not issued such an organisation-centric identity. Almost all resources need to manage this potentially large user group without SWITCHaai support.
  • The existing SWITCHaai service is not perceived to support mobile and other non-web environments adequately.

The Swiss edu-ID is addressing those shortcomings. It does it by building on the very successful SWITCHaai, but changing/extending it in several ways. In the predecessor project “Swiss edu-ID” the basis for a successful continuation was set by completing the Swiss edu-ID high-level architecture, by implementing Swiss edu-ID V0.5 with a new set attributes, and by conducting a market overview of access management platforms. The first important change is delivered by the Swiss edu-ID v1.0 service:

  • All individuals collaborating with our community can get a Swiss edu-ID identity, regardless of whether a user is currently affiliated with an organisation in our community or not.

The project „Swiss edu-ID Phase II“ described in this proposal will implement the Swiss edu-ID v2.0 service with those two additional features:

  • The Swiss edu-ID will carry up to date information about roles and affiliations within the academic community. This information will be provided by those member organisations themselves.
  • The Swiss edu-ID will support the most promising protocols for mobile integration.

Services wishing to make use of the functions offered by the “Swiss edu-ID” will receive consultancy services from the project, get access to the Swiss edu-ID service and the project will seek ways to support use cases needing adaptations or extensions to the existing services. Specific integration work at the user side, however, is not within scope and should be provided by the respective user service. Project management will take appropriate steps to evaluate requests for functional extensions within the governance structures.

Launch of the Swiss edu-ID for SWITCHportfolio

The e-portfolio service SWITCHportfolio is now officially supporting the Swiss edu-ID.

With the Swiss edu-ID a user can maintain a personal e-portfolio in SWITCHportfolio even without affiliation as student or staff at a university. This feature is particularly useful for students who have created an extensive e-portfolio during their studies and who are soon going to leave the university. By transferring their portfolio to the alumni-environment on SWITCHportfolio, users can continue to maintain it long after they have left the university.

For more information on how the transfer from a student-portfolio to an alumni-portfolio is best organized please contact the SWITCHportfolio service team.

Final Report of the Mobile App Support Working Group is available

The working group “Mobile App Support” has completed its final report.
The aims were to describe requirements of institutions/users, discuss ideas for better mobile support, evaluate existing solutions and options for pilot projects.

The report describes relevant mobile applications used/developed at the participating institutions, mentions possible benefits for mobile applications using Swiss edu-ID, identifies common mobile frameworks, lists general requirements and possible pilot candidates for Swiss edu-ID.

Support of mobile applications is a must but not a high priority on the roadmap of the Swiss edu-ID project. Only few applications could be identified as valuable pilots since many of the used mobile applications do not need authentication or have already realized local authentication solutions.
Some institutions focus on web applications that can be AAI-enabled, given that resources and expertise for native application development may be limited.

Most promising idea for a pilot is the one of a broker/authentication application supporting authentication for several mobile applications via Swiss edu-ID (comparable to social logins like Twitter accounts beeing used by other applications to authenticate users). An authentication app could also be used to authenticate at the same time against a mobile application and its server part (e.g. Moodle Mobile application and Moodle web server).
Those options will be investigated further by the eduhub Special Interest Group Mobile Learning.

Link ORCID iD to Swiss edu-ID

Owners of a Swiss edu-ID can now link their ORCID iD (Open Researcher and Contributor ID) to their Swiss edu-ID profile. Go to your Swiss edu-ID profile and link your ORCID iD now.

The ORCID iD is imported to the Swiss edu-ID profile in a secure way making sure that only the owner of the ORCID iD can import it, and that the iD can’t be tampered with.

Linked-identities

 

Individuals who do not yet have an ORCID iD can create one on the fly and link it to their Swiss edu-ID.

Once the ORCID iD is linked to a Swiss edu-ID account, it is available to services in the attribute eduPersonOrcid. This greatly helps services to include the ORCID iD in their business workflows and likewise enhances the benefit for scientific authors.

About ORCID: ORCID (Open Researcher and Contributor ID) is a nonproprietary code to uniquely identify scientific and academic authors. It is operated by the non profit organization orcid.org. Individuals can include their ORCID identifier on their web page, in their publications, when they apply for grants, and in any research workflow to ensure they get credit for their work.

See also Swiss edu-ID ORCID working group report.

Swiss edu-ID 1.0 Launch

SWITCH is happy to announce the start of the productive phase of Swiss edu-ID Version 1.0.
The user interface is available here and allows individuals to create their Swiss edu-ID identity from scratch or to build one based on a SWITCHaai account.

The Swiss edu-ID Identity Provider is ready for pilots and productive services that wants to connect their resources.
This will allow such services to open up new groups of users as:

  • former university members no longer having an AAI account (–> services for Alumni)
  • guests without relationship to a Swiss Higher Education Institution (–> provision of WLAN access etc.)
  • regular users without strong relationship to a Swiss Higher Education Institution (–> national services open to a larger public)

The Swiss edu-ID IdP is part of the SWITCHaai federation and therefore rules of this framework apply.

Several pilot projects and resources are already foreseen to connect to Swiss edu-ID in 2015, but we welcome other services that want to profit by the possible larger user base and verified core attributes to discuss implementation options (contact swisseduid@switch.ch).

Final Report of the ORCID Working Group is Available

The first Swiss edu-ID working group has completed its report. The aims were to determine the relevance of the ORCID identifier for libraries, unversities and publishers and to identify pilot applications for the Swiss edu-ID.

Chapter 1 summarizes the relevance of ORCID for the institutions who participated in the working group (ETHZ, MDPI, SNF, UniBE, UniGE, UZH, ZB) while chapter 2 describes ORCID in more detail and compares it with other relevant identifiers. Chapter 3 describes in detail the ORCID-related plans and thoughts of the participating institutions. Chapter 3 will not be publicly available and is only distributed to members of the SWITCH community on request.

We can briefly summarize the outcome of the WG as follows:

  • ORCID is percieved as a promising initiative with broad support from academic institutions, libraries and publishers world-wide
  • Only a small fraction of researchers and authors actively use their ORCIDs in publications, and it is estimated that ORCID will be accepted only slowly.
  • About one third of the WG participant’s institutions have concrete plans to use ORCID in their systems, about one third have made their first steps and the last third does not have plans to use ORCID.
  • A verified ORCID attribute is estimated to be a valuable addition to the Swiss edu-ID attribute set.

The public version of the ORCID report is available for download in the documents section.

CUS P-2 Follow-up Project Submitted

Today, SWITCH hast submitted a follow-up project (phase II) to the current Swiss edu-ID project which is running until end of July 2015. The aims of phase II are

  • successful operation of Swiss edu-ID v1.0 and its use cases from phase I
  • implementing the Swiss edu-ID v2.0 service with the main new features
    • connecting the Swiss edu-ID platform to institutions to enable attribute exchange
    • support for authentication protocols beyond SAML that allow for mobile integration
  • continue the successful involvement of the community in working groups and through information events

The project proposal is now under review at swissuniversities. A decision of the program committee is expected in July 2015.

Project Abstract

New national services being developed within the frame of the CUS P-2 project will in almost all cases require reliable identity and access management (IAM). The Swiss edu-ID addresses that need, by providing a comprehensive IAM service framework to all relevant players: universities, individuals and service providers.

The SWITCHaai is a well-established IAM solution for the Swiss universities that places identity management under the responsibility of the participating universities and allows for effective resource sharing across organisational borders. However, this approach has several drawbacks:

  • University members with multiple roles or jobs are assigned multiple electronic identities, which need to be managed individually.
  • Individuals lose their electronic identity when they change role or affiliation and are unable to recover the same identity if it is needed at a later date.
  • Individuals collaborating with universities, but without a strong affiliation with one of those universities are not issued such an organisation-centric identity. Almost all resources need to manage this potentially large user group without SWITCHaai support.
  • The existing SWITCHaai service is not perceived to support mobile and other non-web environments adequately.

The Swiss edu-ID is addressing those shortcomings. It does it by building on the very successful SWITCHaai, but changing/extending it in several ways. In the predecessor project “Swiss edu-ID” the basis for a successful continuation was set by completing the Swiss edu-ID high-level architecture, by implementing Swiss edu-ID V0.5 with a new set attributes, and by conducting a market overview of access management platforms. The first important change is delivered by the Swiss edu-ID v1.0 service:

  • All individuals collaborating with our community can get a Swiss edu-ID identity, regardless of whether a user is currently affiliated with an organisation in our community or not.

The project „Swiss edu-ID Phase II“ described in this proposal will implement the Swiss edu-ID v2.0 service with those two additional features:

  • The Swiss edu-ID will carry up to date information about roles and affiliations within the academic community. This information will be provided by those member organisations themselves.
  • The Swiss edu-ID will support the most promising protocols for mobile integration.

Services wishing to make use of the functions offered by the “Swiss edu-ID” will receive consultancy services from the project, get access to the Swiss edu-ID service and the project will seek ways to support use cases needing adaptations or extensions to the existing services. Specific integration work at the user side, however, is not within scope and should be provided by the respective user service. Project management will take appropriate steps to evaluate requests for functional extensions within the governance structures.

RFI Results

In November 2014 SWITCH has carried out a Request for Information (RFI) to gain a market overview of IAM frameworks that match the requirements of the Swiss edu-ID project. A total of 11 companies have handed in one or two solution proposals. Five companies were invited in Dec ’14 to personally present their proposal.

The principal findings of the RFI are:

  1. The building blocks access management (AM) and identity management (IdM) have to be evaluated seperately. It is advisable for the Swiss edu-ID project to first select the appropriate AM framework.
  2. For the AM framework the two most promising alternatives are
    • Build the Swiss edu-ID on the current (SWITCHaai) Shibboleth infrastructure, and extend Shibboleth to support new AM-protocols. On this natural evolution path, it is easier to provide compatibility with SWITCHaai.
    • Build the Swiss edu-ID on the commercial open-source product ForgeRock. This ia a disruptive approach with would allow to take advantage from a bunch of new funcionalities of a new product.

The details of the RFI results are documented in the following reports, which can also be found in the documents section:

  • RFI procedure and results: of the Swiss edu-ID project team. This is the public version without details about the participating vendors and their products. A confidential full version is available for SWITCH community members on request.
  • Swiss edu-ID with Shibboleth: a comparison of Prof. Gerhard Hassenstein of Sibboleth and commercial AM solutions

The next steps are to pilot the two alternative AM approaches (Shibboleth vs. ForgeRock) and choose one of them until summer this year. Once the AM platform has been chosen, SWITCH plans to conduct a RFP for a complete IAM solution that includes the AM and IdM building blocks.

RFI Responses and Next Steps

We were positively surprised about the impressive amount of reponses to our RFI of November 2014.

  • A total of 11 vendors, integrators and producers have submitted a response to our RFI
  • A total of 9 products or product suites for identity and/or access management were presented in the RFI answers

During the month of December we have invited five vendors to present their solution to SWITCH and interested parties of the SWITCH community. As a first result it was interesting to see that access management seems to be a hot topic for producers who released many new products and updates in recent times. They follow different design philosophies and cover a vast range of architectures in IAM. In most cases, the vendors give access to their source code, although the license is not always “pure” open source.

SWITCH will now summarize and evaluate all the collected information. The aim is to assess the presented solutions with respect to the requirements for the Swiss edu-ID. The findings will be published in January 2015.