Leave a comment

One edu-ID – multiple roles

This is a core promise of the SWITCH edu-ID: An individual should be able to use one single digital identity to authenticate, while at the same time being able to choose the appropriate organisational role – or, using a more technical and precise term, the appropriate affiliation – in which to enter a service.

For members of organisations which have already adopted the SWITCH edu-ID, this concept has now arrived in the real SWITCH edu-ID world. The module called “affiliation chooser” is now executed right after authentication. It lets the user choose the appropriate affiliation, before consenting to attribute release and service access.

The affiliation chooser is intended as an intelligent replacement for the well-known discovery service (WAYF). The good thing about the affiliation chooser is that it knows when to show a choice at all. Unlike the WAYF, it only bothers the end user with its question when it really needs to. If e.g. the end user has only one affiliation, then there’s no real choice. Most edu-ID users have just one single affiliation to an organisation, if at all, which is then the one to present to the service. On the other hand, if the service allows only one affiliation, then again, this is the one to check against, even in the rare case when the user has more of them. In a more complex scenario, the affiliation chooser would actually do some set operation. The intersection of all affiliations the service is intended for, with all affiliations that an end user has, may actually contain zero, one, or more items:

  • If no affiliation remains, then the user, although correctly authenticated, cannot be admitted to the service, as none of his affiliations would fit. This check is now being done by the edu-ID IdP, before the user is sent to the service.
  • If there remains exactly one out of this intersection, then it’s the one to choose. No need to bother the end user with a choice if there’s just one item to choose from.
  • If multiple affiliations remain, then this is where the end user actually sees something. A dialog box similar to the one in figure 1 is shown, and the end user has to choose the affiliation – given by a certain set of attributes – to present to the service. Based on these attributes, the service can then assign the appropriate privileges and access rights.



Figure 1: The Affiliation Chooser

What’s in for the end user?

Once the organizations the users are affiliated with adopt the SWITCH edu-ID, the end users will see much fewer possible choices in the affiliation chooser than they currently see in the discovery service. At the point of writing this article, only SWITCH has adopted the SWITCH edu-ID, therefore this currently only applies to SWITCH staff members.

What’s in for the services?

When registering with the federation, services declare their “intended audience”, and thus give an upfront indication about which organizations users must have an affiliation with, in order to be allowed on the service. This indication is picked up by the affiliation chooser which then puts it into an intelligible form and thus helps in pre-filtering the users arriving at the service.

Certain services allow for “private identities”, i.e. without any affiliation to an organisation. In that case, the affiliation chooser flags this possibility separately. Figure 1 shows this as “Private Person” option.

Future services might be able to cope with more than just one affiliation at a time, as the “extended attribute model” in the Swiss edu-ID Architecture suggests. For such services, the affiliation chooser won’t be needed, as no affiliation would have to be chosen at that point.

Leave a comment

Swiss edu-ID Deployment: Next Steps

Project for Deployment Step 2 in 2018/19 submitted

Within this next project phase – once approved by swissuniversities – the first three universities will implement SWITCH edu-ID:

  • Université de Lausanne
  • Universität St. Gallen
  • Zürcher Hochschule für Angewandte Wissenschaften.

They’ve developed their individual integration plan during 2017 (Deployment Step 1). As the other four participating universities they have considerably contributed to elaborate and sharpen adoption scenarios for linking of new and current members and for managing affiliations.

Eleven universities will start implementation planning: Berner Fachhochschule, FernUni, Fachhochschule St. Gallen, Haute école spécialisée de Suisse occidentale, Hochschule Luzern, Hochschule für Technik und Wirtschaft Chur (HTW Chur), Pädagogische Hochschule Bern, Pädagogische Hochschule Schwyz (PHSZ), Université de Neuchâtel and Zürcher Hochschule der Künste.

Continue reading

Leave a comment

The Transition of a University to edu-ID

In 2017, seven universites have started planning their adoption of SWITCH edu-ID. Together with the edu-ID project team each university organized 2-4 workshops to elaborate an individual integration concept and to determine a time schedule for the transition.

It was no surprise to see that the IT landscape and identity management (IdM) processes of the universities are fairly different. Based on the workshops we were however able to identify and document a few major categories which may serve as source of ideas for other universities.

Continue reading

SWITCH adopts edu-ID

Wait!? We all know that SWITCH develops edu-ID – so what does adopting edu-ID mean?

It is true that SWITCH as the operator of the AAI federation develops edu-ID. On the other hand, the organization SWITCH with its IdP is also a SWITCHaai Home Organization in the AAI federation. In this post we will describe how the organization SWITCH integrated edu-ID, allowing it to turn off its own IdP.

Continue reading

Identity Management Evolution

What does it take for a university to adopt the SWITCH edu-ID? This is the question SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) are addressing in the project “Swiss edu-ID Deployment Step 1” as part of swissuniversities’ program «Scientific information». The project advanced nicely and would justify an article on its own. But let’s draw your attention to an interesting side product of this project: we learned how electronic identities are managed in our community – and how the approaches are evolving over time and why.

Continue reading

SWITCH edu-ID Now Speaks Italian

The user interface to create and manage a SWITCH edu-ID account was originally available in English. It was translated to French and German half a year ago.

We are happy to announce that the Italian translation of the user interface is ready and can be used as of today.

Together with the Italian user interface we have also translated and released the SWITCH edu-ID terms of use in French, German and Italian.

If you have comments or suggestions for translation enhancements please don’t hesitate to contact us.