SWITCH Identity Blog

The Identity Blog puts the spotlight on identity management, digital identities, identifiers, attributes, authentication and access management.


Leave a comment

Ensure secure SWITCHaai login: Turning off outdated security protocols

The TLS protocol secures the communication between a user’s web browser and a server running a web application. The user recognises a secured communication by the lock visualised in the web browser or the https prefix in a link.
The security protocols TLSv1.0 and TLSv1.1 are outdated and no longer rated as secure. Therefore, web server administrators should plan to properly protect their services by updating their web server configuration to require at least TLSv1.2.
To apply this security improvement to SWITCHaai including SWITCH edu-ID, SWITCH announces the upgrade in two phases.

Continue reading


Leave a comment

TRID WG Meeting & SWITCH edu-ID Update Event: Look back and forth

This was the first time we could not meet in person at Berne. But still it was a very inspiring occasion for us to come together via SWITCHinteract on May 20.
Around 50 members of universities and related organisations have participated in this three hours online meeting with a very dense programme which illuminated various aspects of SWITCH edu-ID.

Our first keynote speaker Stéphane Recrosio (UNIFR) has provided insights about the adoption of SWITCH edu-ID at the university of Fribourg like planning, communication, support and do’s and don’ts as a result of the experience gained.

While the second keynote speaker Maarten Kremers (SURFnet) talked about the implementation of eduID in the Netherlands it became obvious that similarities to SWITCH edu-ID are probably not purely coincidental.

Beside those two presentations many topics could only be touched upon briefly due to the shortened programme duration, like SLSP status, Kerberos/SPNEGO, Office365, technical accounts, duplication handling, re-use of email addresses, small organisations, service description, eduroam.ch, edu-ID roadmap or AAI and PKI news.
The complete presentations are available here.

The current list of universities adopting SWITCH edu-ID is published on the SWITCH edu-ID website. Only 4 time slots are are still available in 2020.

We hope to see you again in person at Berne during the next Trust & Identity Working Group Meeting and SWITCH edu-ID Update event on May 19 May 26 2021 – please save the date!


1 Comment

Update to the TRID WG Meeting / SWITCH edu-ID Update Event 2020

The Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event on Wed 20 May 2020

Registration is open until Friday, 8 May 2020 and mandatory (only registered users and accepted guests may enter the meeting room).

The event is aimed at the following target groups: IdP and SP Administrators, Home Org Administrators, RRA & Attribute Policy Administrators, IdP hosting customers and IT staff with interest in Microsoft / Office 365  for both – Swiss universities that still use SWITCHaai and those that have already switched over to SWITCH edu-ID.


What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.


Trust & Identity WG Meeting / SWITCH edu-ID Update Event 2020

SWITCH invites you on Wed, 20 May 2020 to the 3rd Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event in Berne – or if the specific situation persists online instead.

Registration is open until Friday, 8 May 2020 and required for logistical reasons.
Refer to the registration page for the preliminary schedule and meeting topics.

In case of presence we have foreseen to hold the program between 10:15 and 15:40.
If the event must take place online, we will shorten the program and run from 9-12, including a break.

The event is aimed at the following target groups: IdP and SP Administrators, Home Org Administrators, RRA & Attribute Policy Administrators, IdP hosting customers and IT staff with interest in Microsoft / Office 365  for both – Swiss universities that still use SWITCHaai and those that have already switched over to SWITCH edu-ID.


What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.


Trust & Identity WG Meeting / SWITCH edu-ID Update Event 2019

SWITCH invites you on Wed, 15 May 2019 to the 2nd Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event in Berne.

Registration is open until Tue, 7. May 2019 and required for logistical reasons.
Refer to the registration page for the draft agenda and schedule.

A longer section of the event is dedicated to SWITCH edu-ID. The heads of IT of University of Lucerne and Distance University will talk about their adoption experience.

Administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators and all persons involved in (future) planning and adoption of SWITCH edu-ID are invited to participate.


What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.


E-ID law: SWITCH contributing to parliamentary hearing

At its meeting on 1 June 2018, the Federal Council adopted a dispatch to Parliament containing a draft for an E-ID law (see corresponding press release in DE, FR and IT; for follow-ups see “18.049 Business of the Federal Council”).

The National Council’s legal commission now runs the business. On 15.11.2018, it held a hearing with representatives of industry, public corporations, potential providers of E-ID solutions and interested parties from civil society. As a potential provider, SWITCH was able to take part in this hearing.

This draft E-ID law largely follows the preliminary draft consulted last year (press release with link to consultation report at page bottom). It does not come as a surprise, therefore, that the position of SWITCH expressed towards the preliminary draft also applies to the new draft law – including the criticism voiced therein. Continue reading


The SWITCH identity federation – a look beyond its borders

The SWITCH identity federation was conceived almost two decades ago. The SWITCHaai service, implementing its concepts, has been in operation for over a decade. Today, the SWITCH edu-ID service is in its initial stages to become its successor, and it is still following the same model: to stay the identity federation of the Swiss academic community. That is reason enough to address those two rather fundamental questions:

  1. Are national identity federations still the right approach to satisfy the needs of the academic community – a community with increasing international collaboration?
  2. Will emerging e-ID services, or services like SwissID, eventually replace the SWITCH identity federation?

Both question the remits of the current solution: national and academic. But they differ in perspective: while the first is questioning the national remit, the second is questioning the academic-only context. Continue reading


Trust & Identity WG Meeting: Register now

SWITCH invites you on Wed, 14 March 2018 to the 1st Trust & Identity WG Meeting in Berne.

The intended audience of this event are administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators. The participants will gain more insight into the technical details that support the seamless adoption of the SWITCH edu-ID service.

Continue reading


Identity Management Evolution

What does it take for a university to adopt the SWITCH edu-ID? This is the question SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) are addressing in the project “Swiss edu-ID Deployment Step 1” as part of swissuniversities’ program «Scientific information». The project advanced nicely and would justify an article on its own. But let’s draw your attention to an interesting side product of this project: we learned how electronic identities are managed in our community – and how the approaches are evolving over time and why.

Continue reading


Consultation on draft of federal E-ID law

At its meeting on 22 February 2017, the Swiss Federal Council opened a consultation on legislation on electronic identification (E-ID law, see announcements: DE, FR, IT). The consultation ended 29 May 2017.

SWITCH participated in this consultation and confirms the importance of a well-functioning and generally accepted E-ID. The identity service SWITCH edu-ID/SWITCHaai could potentially benefit from such an E-ID legislation: either to start offering an E-ID function itself, or by consuming E-ID services. Such use cases – from SWITCH and from other parties – may become important drivers for the spread of E-ID beyond pure e-government applications and for the emergence of an general-purpose E-ID ecosystem.

After evaluating the proposed delivery model in the draft E-ID-law, SWITCH proposes its revision. To ensure swift implementation and to reduce risks and complexity, SWITCH urges that the proposed market model be abandoned in favour of an implementation by the Swiss Confederation itself or by mandating it to a third party.

If the market model is to be pursued nevertheless, SWITCH proposes the use of a multi-stakeholder expert group to resolve the many open questions arising from the draft. If this group can not achieve its objectives, the market model is to be abandoned once and for all in favour of the proposed government-driven implementation model for an E-ID.

You are invited to read the full answer of SWITCH to the consultation (in German): 20170529 Vernehmlassungsantwort SWITCH E-ID-Gesetzesentwurf.

 


Swiss edu-ID Update Event 2017

Save the date: Thursday 29 June 2017

The focus is put this year on an update about the project Swiss edu-ID and the service SWITCH edu-ID, whose deployment starts in 2017.
Note that no SWITCHaai specific topics are foreseen.

The event will take place June 29 , 11:00 – 16:15, in Berne at UniS, Schanzeneckstrasse 1, room A-126.

Preliminary Programme:

11:00 – 12:00   SWITCH edu-ID for beginners (for people not already familiar with SWITCH edu-ID)

12:00 – 13:15   Arrival for afternoon participants and Lunch
(afternoon participants are warmly welcome to take lunch with us)

13:15 – 14:30   Pilots and current project status

14:30 – 14:55  Coffee break

14:55 – 16:15    Status Migration Strategies, roadmap and next steps

16:15                 End of event

 

Update 2016-06-01: Registration site with updated agenda


Real SSO feeling through the SPNEGO/Kerberos Login Flow for the Shibboleth Identity Provider v3

Windows users can now extend their SSO feeling to the SWITCHaai login page, provided their client is a member of a Windows domain. They no longer need to re-enter their username and password they’ve already entered to log in to the Windows desktop. Actually, Kerberos enabled non-Windows clients like Linux or Mac could profit of such enhanced SSO, too.

The Shibboleth Identity Provider (IdP) achieves this through SPNEGO-based Kerberos authentication (i.e. password-less web authentication via Kerberos). While version 2 of the Shibboleth IdP supported this through an extension, the Shibboleth IdP version 3 provides built-in support through the SPNEGO/Kerberos Login Flow authentication mechanism.

The SPNEGO/Kerberos Login Flow module was developed in co-operation by SWITCH and the Fachhochschule Nordwestschweiz (FHNW). As the FHNW already developed the extension for the IdP v2, they brought their existing experience into the project to re-implement the same functionality for IdP v3. Eventually, the SPNEGO/Kerberos Login Flow got an integral part of the Shibboleth Identity Provider version 3.2.0 in November 2015 and has been available since then.

The SPNEGO/Kerberos Login Flow has proven to run successfully on the IdPs of the Fachhochschule Nordwestschweiz and the Pädagogische Hochschule Bern, since these IdPs were migrated to IdP v3.

To use the SPNEGO-based authentication, the following prerequisites must be fulfilled:

  • A Kerberos infrastructure must be available (e. g. a Windows domain).
  • The IdP server must be registered as a Kerberos service at the Kerberos Key Distribution Center (KDC).
  • Kerberos client software must be installed on the IdP server.
  • The Shibboleth Identity Provider software must be configured accordingly.
  • The web browsers on the clients require specific configuration to use this authentication method.

Organisations being interested in using the SPNEGO-based authentication on their own IdP can find comprehensive documentation in the Shibboleth Wiki: SPNEGO/Kerberos Login Flow

SPNEGO-based authentication is also offered as an option to the Identity Provider Hosting service provided by SWITCH.


SWITCHaai Transition to Shibboleth Identity Provider v3 is 80% complete

Back in May 2015, the Shibboleth Consortium announced July 31st 2016 as end-of-life date for the IdPv2 code base. A redesigned IdPv3.1.1 is available since March 2015. One month later, SWITCH announced the initial version of the SWITCHaai specific IdPv3 installation guide. In June and September 2015, SWITCH offered well-attended IdP training courses [4] on how to configure IdPv3. Since then, the number of IdPv3 installations has gradually increased to the 80% level it reached just at the beginning of the autumn semester 2016.

Continue reading