What does it take for a university to adopt the SWITCH edu-ID? This is the question SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) are addressing in the project “Swiss edu-ID Deployment Step 1” as part of swissuniversities’ program «Scientific information». The project advanced nicely and would justify an article on its own. But let’s draw your attention to an interesting side product of this project: we learned how electronic identities are managed in our community – and how the approaches are evolving over time and why.
Are you running a Microsoft Windows Service (e.g. Sharepoint) with non-public content connected to your organisational Active Directory (AD)? Do you want to make content available to specific external users, e.g. users with a SWITCH edu-ID? This article is for you.
While Windows Authentication remains based on Active Directory Servers, the gap between the Windows and the Shibboleth world has become bridgeable, thanks to new features in ADFS 2016.
Imagine yourself running some Microsoft Windows service such as a Sharepoint instance. You probably need to configure external authentication. This is, and always was, straightforward if you can attach Active Directory Servers to the Sharepoint instance. However, it used to turn out a bit more cumbersome if you wanted to base your external authentication on a non-Windows service like e.g. a Shibboleth IdP. In short, supporting regular SWITCHaai was difficult for Windows services.
Thankfully, this has changed. ADFS 4.0, being a part of Windows Server 2016 has improved interoperability with SAML 2.0, which allows for use of a Shibboleth IdP when serving authentication requests from Windows services.
Peter M. Studer, one of the Identity Management (IdM) specialists at the University of Bern, has recently posted a blog (in German), which explains in detail how to deploy an ADFS server as a proxy to an IdP within SWITCHaai, in particular as a proxy to the SWITCH edu-ID IdP.
We find this step-by-step tutorial extremely helpful and will set up an appropriate proof of concept locally. This may be a first step towards integration of SWITCH edu-ID authentication for Windows services. If you are interested in learning more about the proof of concept, please contact us!
 IdP: Identity Provider
P.S.: There’s – at least – one more thing that has to be sorted out before such an idea can go into production: the metadata signature check. Any resource in a federation needs to properly link into the trust chain, something which is well prepared for resources based on Shibboleth software, but can be hard for others – yet.
The user interface to create and manage a SWITCH edu-ID account was originally available in English. It was translated to French and German half a year ago.
We are happy to announce that the Italian translation of the user interface is ready and can be used as of today.
If you have comments or suggestions for translation enhancements please don’t hesitate to contact us.
Last week, the number of services registered in the SWITCHaai federation crossed the 1’000 line for the first time.
When the Università della Svizzera italiana, Damiano Bianchi (Servizio informatico TI-EDU) registered the ‘USI Library service’ (the 21st service of USI), this new service became the 1’000th SP available in the SWITCHaai federation.
It’s the first time in the history of SWITCHaai that we have reached this number of registered SPs. Due to old services getting deleted and new ones registered, the actual number of services slightly fluctuates. However, in general it has been steadily increasing since the production SWITCHaai service was launched 12 years ago in autumn 2005 (see the graph in the lower right corner in the growth picture below).
The SWITCHaai federation serves the higher education community in Switzerland and Liechtenstein: More than 99% of all students, staff members and researchers at universities, universities of applied sciences and teacher education universities have a SWITCHaai-enabled user account. With their account, they can access a wide variety of services. Users as well as service administrators enjoy the benefit of no service specific user accounts required!
In addition, more than 100’000 further users from about 20 university related institutions have user accounts that provide them also access via SWITCHaai.
At its meeting on 22 February 2017, the Swiss Federal Council opened a consultation on legislation on electronic identification (E-ID law, see announcements: DE, FR, IT). The consultation ended 29 May 2017.
SWITCH participated in this consultation and confirms the importance of a well-functioning and generally accepted E-ID. The identity service SWITCH edu-ID/SWITCHaai could potentially benefit from such an E-ID legislation: either to start offering an E-ID function itself, or by consuming E-ID services. Such use cases – from SWITCH and from other parties – may become important drivers for the spread of E-ID beyond pure e-government applications and for the emergence of an general-purpose E-ID ecosystem.
After evaluating the proposed delivery model in the draft E-ID-law, SWITCH proposes its revision. To ensure swift implementation and to reduce risks and complexity, SWITCH urges that the proposed market model be abandoned in favour of an implementation by the Swiss Confederation itself or by mandating it to a third party.
If the market model is to be pursued nevertheless, SWITCH proposes the use of a multi-stakeholder expert group to resolve the many open questions arising from the draft. If this group can not achieve its objectives, the market model is to be abandoned once and for all in favour of the proposed government-driven implementation model for an E-ID.
You are invited to read the full answer of SWITCH to the consultation (in German): 20170529 Vernehmlassungsantwort SWITCH E-ID-Gesetzesentwurf.
About 27,000 people have got mailing from the SWITCH edu-ID team April 19:
Instead of their former Cloud ID account, SWITCH edu-ID would be used as from 1st May 2017 in order to access the services SWITCHdrive and SWITCHengines.
But how should the vast majority of those users, who did not already have a SWITCH edu-ID account, come to such an identity?
Changeover without effort for 98% of users
The usual way to generate a SWITCH edu-ID account is self-registration – this in line with the principle of user centrism. However, in this case the new accounts were generated automatically in order to spare users effort.
Users who have linked their SWITCH edu-ID account with their existing AAI account(s) have substantially facilitated proper account assignment and account aggregation during conversion. Continue reading
The “digital transformation” has strong effects on how individuals interact with each other through the use of services – and it adds some challenges to the service operator’s agenda. One such challenge is to deploy consistent identity management across all the devices the “digitally transformed” user may choose from.
For over a decade, SWITCHaai streamlines the user’s (and also the service operator’s) experience by offering a consistent identity management framework across a wide range of web-application services. SWITCH edu-ID is extending this framework to reach beyond web-applications and to also seamlessly integrate with mobile apps.
The eduhub Special Interest Group SIG Mobile Learning will discuss this approach and contrast it with other approaches. Interested app developers and service providers are encouraged to register for the event by answering this Doodle poll by 19 April the latest.