Leave a comment

Sending Users on the Right Path

In a previous blog post we presented how AAI Service Provider (SP) administrators can customize the edu-ID registration and login pages individually for their service. However, an SP administrator can not only brand the edu-ID pages with a custom logo or custom text but he can also influence the process itself used when users register, login or when they complete their account data. Examples of such process modifications are:

  • To send a user automatically to a specific URL after registration or login
  • To make a user first provide a specific verified or unverified attribute (e.g. mobile number or home postal address) and then send him back to the service

Both of these example scenarios have been used for instance by the Swissbib service for several months. Swissbib users sometimes have to provide a verified mobile number and/or postal address before they get access to national license content, which – by agreement – should be only available to residents of Switzerland.

So, how can an AAI SP administrator customize the edu-ID processes to implement the above and more scenarios? All that is needed is to send the user on the right path, or rather to the right URL. For all those not wanting to get familiar with the technical details of how these URLs have to be composed to achieve a certain process change, we have created a useful tool that makes the URL generation very easy: The edu-ID Login Link Composer.

Screenshot edu-ID Login Link Composer

Screenshot of edu-ID Login Link Composer

The edu-ID Login Link Composer consists of a form with several inputs that are used to generate a link which triggers the requested behaviour. The user then just has to be sent  to the generated URL to start the process.

Try out the edu-ID Login Link Composer with your own AAI service.

Leave a comment

Identity Management Evolution

What does it take for a university to adopt the SWITCH edu-ID? This is the question SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) are addressing in the project “Swiss edu-ID Deployment Step 1” as part of swissuniversities’ program «Scientific information». The project advanced nicely and would justify an article on its own. But let’s draw your attention to an interesting side product of this project: we learned how electronic identities are managed in our community – and how the approaches are evolving over time and why.

Continue reading

Authentication for Windows services using SWITCH edu-ID?

Are you running a Microsoft Windows Service (e.g. Sharepoint) with non-public content connected to your organisational Active Directory (AD)? Do you want to make content available to specific external users, e.g. users with a SWITCH edu-ID? This article is for you.

While Windows Authentication remains based on Active Directory Servers, the gap between the Windows and the Shibboleth world has become bridgeable, thanks to new features in ADFS 2016.

Imagine yourself running some Microsoft Windows service such as a Sharepoint instance. You probably need to configure external authentication. This is, and always was, straightforward if you can attach Active Directory Servers to the Sharepoint instance. However, it used to turn out a bit more cumbersome if you wanted to base your external authentication on a non-Windows service like e.g. a Shibboleth IdP[1]. In short, supporting regular SWITCHaai was difficult for Windows services.

Thankfully, this has changed. ADFS 4.0, being a part of Windows Server 2016 has improved interoperability with SAML 2.0, which allows for use of a Shibboleth IdP when serving authentication requests from Windows services.

Peter M. Studer, one of the Identity Management (IdM) specialists at the University of Bern, has recently posted a blog (in German), which explains in detail how to deploy an ADFS server as a proxy to an IdP within SWITCHaai, in particular as a proxy to the SWITCH edu-ID IdP.

We find this step-by-step tutorial extremely helpful and will set up an appropriate proof of concept locally. This may be a first step towards integration of SWITCH edu-ID authentication for Windows services. If you are interested in learning more about the proof of concept, please contact us!

[1] IdP: Identity Provider

P.S.: There’s – at least – one more thing that has to be sorted out before such an idea can go into production: the metadata signature check. Any resource in a federation needs to properly link into the trust chain, something which is well prepared for resources based on Shibboleth software, but can be hard for others – yet.

SWITCH edu-ID Now Speaks Italian

The user interface to create and manage a SWITCH edu-ID account was originally available in English. It was translated to French and German half a year ago.

We are happy to announce that the Italian translation of the user interface is ready and can be used as of today.

Together with the Italian user interface we have also translated and released the SWITCH edu-ID terms of use in French, German and Italian.

If you have comments or suggestions for translation enhancements please don’t hesitate to contact us.

Consultation on draft of federal E-ID law

At its meeting on 22 February 2017, the Swiss Federal Council opened a consultation on legislation on electronic identification (E-ID law, see announcements: DE, FR, IT). The consultation ended 29 May 2017.

SWITCH participated in this consultation and confirms the importance of a well-functioning and generally accepted E-ID. The identity service SWITCH edu-ID/SWITCHaai could potentially benefit from such an E-ID legislation: either to start offering an E-ID function itself, or by consuming E-ID services. Such use cases – from SWITCH and from other parties – may become important drivers for the spread of E-ID beyond pure e-government applications and for the emergence of an general-purpose E-ID ecosystem.

After evaluating the proposed delivery model in the draft E-ID-law, SWITCH proposes its revision. To ensure swift implementation and to reduce risks and complexity, SWITCH urges that the proposed market model be abandoned in favour of an implementation by the Swiss Confederation itself or by mandating it to a third party.

If the market model is to be pursued nevertheless, SWITCH proposes the use of a multi-stakeholder expert group to resolve the many open questions arising from the draft. If this group can not achieve its objectives, the market model is to be abandoned once and for all in favour of the proposed government-driven implementation model for an E-ID.

You are invited to read the full answer of SWITCH to the consultation (in German): 20170529 Vernehmlassungsantwort SWITCH E-ID-Gesetzesentwurf.


Bye-bye Cloud ID – Welcome SWITCH edu-ID

About 27,000 people have got mailing from the SWITCH edu-ID team April 19:
Instead of their former Cloud ID account, SWITCH edu-ID would be used as from 1st May  2017 in order to access the services SWITCHdrive and SWITCHengines.

But how should the vast majority of those users, who did not already have a SWITCH edu-ID account, come to such an identity?

Changeover without effort for 98% of users

The usual way to generate a SWITCH edu-ID account is self-registration – this in line with the principle of user centrism. However, in this case the new accounts were generated automatically in order to spare users effort.
Users who have linked their SWITCH edu-ID account with their existing AAI account(s) have substantially facilitated proper account assignment and account aggregation during conversion. Continue reading

Swiss edu-ID Update Event 2017

Save the date: Thursday 29 June 2017

The focus is put this year on an update about the project Swiss edu-ID and the service SWITCH edu-ID, whose deployment starts in 2017.
Note that no SWITCHaai specific topics are foreseen.

The event will take place June 29 , 11:00 – 16:15, in Berne at UniS, Schanzeneckstrasse 1, room A-126.

Preliminary Programme:

11:00 – 12:00   SWITCH edu-ID for beginners (for people not already familiar with SWITCH edu-ID)

12:00 – 13:15   Arrival for afternoon participants and Lunch
(afternoon participants are warmly welcome to take lunch with us)

13:15 – 14:30   Pilots and current project status

14:30 – 14:55  Coffee break

14:55 – 16:15    Status Migration Strategies, roadmap and next steps

16:15                 End of event


Update 2016-06-01: Registration site with updated agenda