Swiss edu-ID – SWITCH Identity Blog

New edu-ID Identity Model for OpenID Connect (RFC)

The future belongs to OpenID Connect. More and more services drift away from using SAML as authentication protocol since it is not actively developed anymore and lacks support for use cases like mobile or single-page applications or OAuth 2.0. As you probably know, the Switch edu-ID has already been providing support for OpenID Connect (or short OIDC) for several years. Services can already use OIDC in order to authenticate users with the edu-ID and get the required information about them to provide a good and seamless user experience, just like for SAML. However, you might also have noticed that the edu-ID OIDC support does not yet cover all capabilities which are covered by SAML.

Continue reading “New edu-ID Identity Model for OpenID Connect (RFC)”

edu-ID September Newsletter

Dear edu-ID Users and Service Operators,

We are happy to inform you about the following news regarding the Switch edu-ID service: Continue reading “edu-ID September Newsletter”

Hacking for Good

In July this year the edu-ID account management was reimplemented almost from scratch. Not only did the design change but so did much of the technology behind it, including the programming framework. Because we take security and data privacy very seriously, we asked our colleagues from the Switch security team to do a preliminary penetration test before the launch. This first penetration test provided us with the confidence to release the new account management into the wild. But to be doubly sure, we decided to run also a second penetration test after launch with an external company. And so we did.

Continue reading “Hacking for Good”

Enforcing multi-factor authentication for university members

Until now, either a service in the edu-ID federation could protect the login process with multi-factor authentication (MFA) or an edu-ID user herself. Now edu-ID also allows universities to define rules for all their users that enforce the use of MFA.

Continue reading “Enforcing multi-factor authentication for university members”

A new look for Switch edu-ID

It is our pleasure to announce a major innovation. We have completely revised the graphic design and user experience of the edu-ID account management. The login window also appears in the new design.

Continue reading “A new look for Switch edu-ID”

European Student Identifier

SWTICH is happy to announce the full support for the European Student Identifier in SWITCH edu-ID. SWITCH has worked with the university community to develop a solution approach that is easy for universities to implement.

Continue reading “European Student Identifier”

700’000 reasons to celebrate

Just in time for the yearly Trust and Identity Workgroup meeting the barrier was broken mid May. To celebrate the 700’000th edu-ID user account the trust and identity team had, however, to wait a few more weeks, because several team members were on vacation at that time. But it’s never too late for cake 😀

We hope to soon celebrate the cake for 800’000 accounts when University of Zurich , ETHZ, EPFL and other universities adopt edu-ID in the coming months.

SWITCH edu-ID continues to grow

Last week the 600’000th member of the Swiss academic community registered for a SWITCH edu-ID account.

SWITCH is pleased to see an increased adoption of this service, as currently more than 1000 accounts are opened up per day.

Of course, this fact was again a good reason for a short break at the SWITCH offices, with a tasty cake once more.

The project is finished – but we’re still on the ball!

When the national cooperation project “Swiss edu-ID” – supported by swissuniversities – started in 2014, it was clear that it would not be a walk in the park. Replacing a system like SWITCHaai that is running very well since more than a decade is not easy. Universities have to be convinced of the new solution – both in terms of technology and benefits – and also have enough time and resources to implement it.

With the Swiss edu-ID project, a major conceptual change from a decentralized authentication infrastructure to a centralized one was planned. This creates stronger dependencies. A stable basis of trust and smooth operation were important prerequisites. In parallel with the universities’ efforts, SWITCH therefore continued to expand the service and took measures to ensure performance and fail-safety.

Continue reading “The project is finished – but we’re still on the ball!”

User-centricity is the right way to go

Pierre Deshayes, team leader and expert engineer “Infrastructures and Systems» at University of Geneva, explained at the SWITCH edu-ID update event (slides) how the change from AAI to SWITCH edu-ID took place.
Here is a summary:

A special IdP setting at University of Geneva

“Since February 25, 2021, the approximately 36,000 members of the University of Geneva have been able to use SWITCH edu-ID for all federated web services. The situation turned out to be somewhat more complex in Geneva than at other universities, because nowhere else was the local Shibboleth IdP used as extensively as here: All authentication – external and internal – went through this one identity provider. With the use of SWITCH edu-ID’s central IdP, this type of single sign-on was no longer possible. It was therefore necessary to weigh up the advantages and disadvantages and ensure that operation with external authentication would continue to function smoothly and in compliance with data protection requirements. Various questions led to answers, which SWITCH was able to make available to other universities in the form of legal FAQs.

Convincing advantages

In the end, the following points tipped the scales in favor of the migration: The possibility of standardizing the registration process in the medium term and the user-centric approach of SWITCH edu-ID, which allows lifelong use of services from different universities with one account.

Continue reading “User-centricity is the right way to go”

SPNEGO (Kerberos) authentication with SWITCH edu-ID

Back in 2016, Daniel Lutz showed how the Shibboleth IdP can offer a real SSO feeling by reusing an already existing authentication token on domain-joined windows clients. SWITCH has now extended this concept in order to offer it to all organisations that have migrated to the SWITCH edu-ID.

Continue reading “SPNEGO (Kerberos) authentication with SWITCH edu-ID”

Looking back and forward (follow-up discussion)

As in 2020 we’ve organized the TRID WG meeting and SWITCH edu-ID update event as online meeting because of the COVID restrictions.
Nevertheless, around 70 members from different organisations have decided to participate, which of course makes us very happy.
Highlights were the guest contributions by Pierre Deshayes about the migration experiences at University of Geneva and Manne Miettinen about the edu-ID initiatives in Finland. You find the corresponding slides here.

Follow-Up Discussions

Many questions were asked, ideas were proposed and there was a lively exchange, which we would now like to deepen in follow-up discussions.
The first of these meetings will be held on June 23, 16:00-16:45. Then we will be happy to discuss “Authentication Methods: New methods? Parameter tuning” – the topic rated as the most important at the event.
If you would like to participate please register here.

We will communicate further follow-up discussion topics and meeting dates via this mailing-list and our website.

Which e-ID does Switzerland need?

On 7 March, Switzerland rejected proposed legislation to establish an e-ID.
As a neutral and independent foundation for Swiss universities, SWITCH has over 20 years’ experience in the field of electronic identities and participated in the process of designing the e-ID. We interviewed Christoph Graf, Programme Manager of SWITCH edu-ID, about the next steps in introducing an e-ID in Switzerland and the role SWITCH can play in this process.
Read more.

Three phase adoption at UNIL

Christopher Greiner, service coordinator, UNIL IT:

It has been two months since our move to edu-ID, here is a recap of our trials and tribulations in switching identity provider.

The University of Lausanne (UNIL) successfully migrated to SWITCH edu-ID on the 10th of February 2021.

We had been preparing for this migration for quite a long time: we first heard about the Swiss edu-ID project back in early 2014. Our university had been one of the early adopters of SWITCH AAI, and quite heavy users of the service, so we were very interested in hearing what SWITCH had in store for the future of this digital identity; we decided to take part in the workshops organised by SWITCH, thinking that the earlier we were involved, the easier it would be for us to find solutions specific to our university’s needs.

Figure 1: Poster for the edu-ID migration

Continue reading “Three phase adoption at UNIL”

Trust & Identity WG Meeting / SWITCH edu-ID Update Event 2021

SWITCH invites you on Wed, 26 May 2021
to the 4^th Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event (online).

Registration is open until Friday, 21 May 2020.
There you will find as well the preliminary agenda and meeting topics.
We are looking forward to the contributions of our colleagues from Geneva and Finland.

Details (links etc.) will be provided three days in advance to registered participants.

The event is aimed at the following target groups:

IdP and SP Administrators
Home Org Administrators
RRA & Attribute Policy Administrators
IdP hosting customers and
IT staff with interest in authentication and authorization

for both – Swiss universities that still use SWITCHaai and those that have already switched over to SWITCH edu-ID.

What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all

in the Education, Research & Innovation (ERI) Community.

This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.