For more than 15 years, the SWITCHaai federation was entirely based on the SAML protocol. SWITCH is happy to announce that as of March 1st 2021 the edu-ID identity provider (IdP) officially also supports OpenID Connect.
Sarah Frederickx, Head of Digital Learning Center at Hochschule für Heilpädagogik Zürich HfH (University of Teacher Education in Special Needs Education)
In November 2019, we talked about SWITCH edu-ID seriously for the first time. We planned to work out the changeover in 2020 and so as to actually switch over in 2021. Naturally, it didn’t go as planned. After a thorough analysis of our systems and a definition of our roadmap (two phases) at the beginning of 2020, everybody forgot about the edu-ID implementation project because of the lockdown in March. In May, though, the pressure of the new library system swisscovery, which requires a SWITCH edu-ID account, grew stronger, and we decided to attack our first phase.
The lowest complexity level
Our first phase only had the one goal: changeover to edu-ID. Nothing else! No changes in processes, no changes in our systems. Nothing complex. So, we implemented a linking service and the affiliation administration with our partner who hosts all our students’ mailboxes. Easy-peasy.
Everything went very smoothly in November 2020. Thank you, SWITCH, for all the help, discussions, templates, checklists, and so much more. Thank you, exigo, for the professional and smooth technical implementation.
We had sent an info mail 10 days before the change and a reminder two days before the changeover. Brace yourself after you send out the reminder! The support cases then rose until very shortly after the change. But after a few cases, we had standard email texts for seven different problem cases that almost covered it all. By now, a few months later, 87% of our users have linked their SWITCH edu-ID account to HfH.
We still have lots to do to streamline our processes and make user management better and easier. But before that, we’ll do our second phase, and we’ll do just that.
Our second phase is the change from ‘Linking after admission’ to ‘Linking at registration’. New students will (have to) have an edu-ID before we enter them into our systems. Everything else will come later. With only few resources, we break things down and proceed one step at a time.
In December and January two new features were silently introduced for edu-ID organisation administrators. One provides graphical statistics and one allows restricting technical accounts to certain services. This blog post provides a short overview on what is new.Continue reading “Graphical Statistics and Service Restriction Features”
Like described in the blog post Sending Users on the Right Path, it sometimes is in everybody’s interest to guide end-users on a certain path to achieve a goal. Such helpful nudges are also used during account creation when end-users choose how to create their SWITCH edu-ID account.Continue reading “The Right Way to Create an Account”
Dominik Hofer, Stefan Keller, Andreas Scheppele (KOGIT GmbH), Xiang Wang, Erwin Wendelspiess, Jan Stucki, Thomas Mundschin
“For the University of Basel (UNIBAS), the changeover to SWITCH edu-ID went smoothly. The project was a success, because everything was well prepared from a technical point of view and it did not cause any big issues with regard to communication and user feedback.
Successful projects often remain “under the radar”. The management sometimes hardly notice projects, when everything is running smoothly. This is our motivation to write this short success story:
Today, with the going live of SLSP we have seen quite a few thousands SWITCH edu-ID accounts being created. This amount was considerably more than we have seen in the past. While the SWITCH edu-ID infrastructure kept working for those who had created their account already before, some users who created their account today before noon, had to wait a couple of minutes until their account was ready to be used to log into swisscovery.
We apologise for this inconvenience and ask our customers to try again.
Starting from around 12:10 today, operation goes smoothly again, meaning that newly created accounts can be used for login right away.
Here’s a couple of pictures to show what actually happened:
We thank our customers for their patience within this period of time. In case someone created more than one account – while assuming that a second one might work better – we strongly recommend to merge these two accounts back again.
Do you have question? Please contact us at email@example.com
With the University of Teacher Education Zug, the second PH switched to SWITCH edu-ID on 7 October 2020.
Abdel Benhauresch (head of the ICT PH Zug), can you tell us a little bit about how the adoption of SWITCH edu-ID took place and what further objectives the PH Zug is pursuing after the successful changeover?
“We are a relatively small university with a core of about 800 users and about three times as many people who attend our continuing education courses.
Accordingly, our IT is small and efficiently structured. Projects have to be well planned and implemented in stages.
The preparations for the adoption of SWITCH edu-ID started two years ago. At first it was unclear when the new Campus Management System (CMS) would go live. Finally, we decided to switch to edu-ID first and to use the new system not before 2021. This means that we will then have to check the interaction of edu-ID with the new CMS.
For the linking process we decided to use a function in Microsoft Azure, because all our users use an Azure Active Directory account (AAD) to authenticate.
In SWITCH edu-ID the e-mail addresses play a crucial role not only for communication with an edu-ID user but also for authentication. Every e-mail address associated to an edu-ID account also serves as login name. An e-mail address can also be used to reset the password of an edu-ID account. And unless Two-Step login is activated, this would be sufficient to gain control of an account.
Unfortunately, many e-mail addresses don’t belong permanently to the same person. When a student finishes her studies, she will loose her university e-mail address after some time. When a staff member changes jobs, he won’t keep his company e-mail address either.
In case of popular names, some organisations re-assign e-mail addresses to persons with the same name, hopefully only after a long grace-period. If such a “recycled” e-mail address is still associated to a user account of the original holder of this address in a system like SWITCH edu-ID, this might cause severe security problems.
Therefore, SWITCH edu-ID has some automated mechanisms to detect, remove, replace and inform about e-mail addresses that no longer work. How do these processes work?
On August 19, 2020, the Berne University of Teacher Education (PHBern) switched over to SWITCH edu-ID, thus filling the dozen:
More than 8000 students and employees of the PHBern now have an edu-ID account and can use it to access services of their own PH as well as those of other Swiss universities which are open to members of PHBern.
Ulrich Weisenseel, head Services Informatik PHBern, about the planning and adoption:
“When the first planning steps were taken in 2018, the analyses showed that PHBern users accessed more than 100 services via AAI accounts. A picture that looks similar at many universities. University members usually access 10 to 20 times more external than internal services, with the number of logins naturally being highest for the most prominent services such as a university’s own Learning Management System. At PHBern, ILIAS and the intranet “My PHBern” swing out at the top in terms of access numbers.
Two and a half weeks before the semester start, a message went through the SWITCH internal chat saying that the 250’000th SWITCH edu-ID account had just been created! We actually assumed that this would happen only a few weeks later. However, apparently many new students from universities that have already adopted the SWITCH edu-ID, recently created their proper edu-ID account. This went so smooth that we didn’t even notice it, at least not from the number of tickets in our end user support queue, which showed only a minimal increase.
But this was not the only record to celebrate. On the second day of the new semester, 1594 new accounts were created within 24 hours. This number is 40% higher than the old record from exactly one year ago.
We have indeed been very busy in these last weeks increasing the scalability of the SWITCH edu-ID service and its components. The most important component is the IdP, as it has to be up and running 24×7, regardless of the load that the end users bring when logging in to their services. I’m very happy and relieved that this service could be put behind a load balancer, and that it received a twin worker node to start with. More such worker nodes can from now on easily be added if necessary. With this scalability increase, our infrastructure was able to stand the load increase that came along with the semester start, see the figure:
We are hoping that our service will continue to run so smoothly and we will do whatever is necessary in order to keep up with the increasing demands of our user.
Monday, August the 3rd, 2020: The day starts with a big bang. Early in the morning, the engineers at SWITCH “flip the switch” (pun intended) and Berner Fachhochschule (BFH) has gone edu-ID.
Significant changes are tough
Well, to be honest, it is probably more a loud pop than the proverbial start of the universe. Still, it is a change that affects pretty much everyone in our organization. For a long time, almost all publicly accessible non-Microsoft resources have used SWITCHaai as the method of choice for authentication. Among these is our own Moodle server – today an essential service for all courses. No access to Moodle does not necessarily mean classes would shut down, but it would undoubtedly be a lot harder.
Accordingly, we selected August for the switch on purpose. Although the bachelor/master semester start is a few weeks off, research and continuing education courses take place. However, since it is a bit quieter than other times of the year, this gives us at IT-Services the necessary time to implement significant changes.
Continue reading “BFH goes edu-ID”
End of June 2020 PH Zurich has adopted SWITCH edu-ID.
“With regard to the future library system solution SLSP, PH Zurich has decided to push the changeover from SWITCHaai to SWITCH edu-ID.
After the first technical workshop with SWITCH, it soon became clear that we would opt for a loose integration of edu-ID (linking after admission scenario) and that this would mean an easily manageable effort for us to implement the necessary changes.
A central identity management system was already in place at PH Zurich and it was only a matter of
- connecting the affected edu-ID identifiers with the account information of the PH Zurich and to
- extend some processes.
However, there was a challenge that we did not see from the beginning: In order to ensure compatibility with SWITCHaai – specifically that service providers already using SWITCHaai recognize a person even after the adoption of edu-ID – the former AAI ID must be written into the affiliation itself. This has to be taken into consideration when building a so-called linking service.
The tests ran all perfectly and the switch was made in no time.
Only 4 months passed from the decision to implement SWITCH edu-ID to the actual conversion. This fast changeover was also possible thanks to the good and timely support by SWITCH.”
The TLS protocol secures the communication between a user’s web browser and a server running a web application. The user recognises a secured communication by the lock visualised in the web browser or the
https prefix in a link.
The security protocols TLSv1.0 and TLSv1.1 are outdated and no longer rated as secure. Therefore, web server administrators should plan to properly protect their services by updating their web server configuration to require at least TLSv1.2.
To apply this security improvement to SWITCHaai including SWITCH edu-ID, SWITCH announces the upgrade in two phases.
This was the first time we could not meet in person at Berne. But still it was a very inspiring occasion for us to come together via SWITCHinteract on May 20.
Around 50 members of universities and related organisations have participated in this three hours online meeting with a very dense programme which illuminated various aspects of SWITCH edu-ID.
Our first keynote speaker Stéphane Recrosio (UNIFR) has provided insights about the adoption of SWITCH edu-ID at the university of Fribourg like planning, communication, support and do’s and don’ts as a result of the experience gained.
While the second keynote speaker Maarten Kremers (SURFnet) talked about the implementation of eduID in the Netherlands it became obvious that similarities to SWITCH edu-ID are probably not purely coincidental.
Beside those two presentations many topics could only be touched upon briefly due to the shortened programme duration, like SLSP status, Kerberos/SPNEGO, Office365, technical accounts, duplication handling, re-use of email addresses, small organisations, service description, eduroam.ch, edu-ID roadmap or AAI and PKI news.
The complete presentations are available here.
The current list of universities adopting SWITCH edu-ID is published on the SWITCH edu-ID website. Only 4 time slots are are still available in 2020.
We hope to see you again in person at Berne during the next Trust & Identity Working Group Meeting and SWITCH edu-ID Update event on
May 19 May 26 2021 – please save the date!
In autumn, we’ll all be voting on a new E-ID law. Will we need more digital identities in future? Or can we look forward to a time when passwords are a thing of the past?
Read on to find out how SWITCH is working to make SWITCH edu-ID future-proof.