Multi-Factor Authentication Reinforced

Since December 2018 the edu-ID login has supported multi-factor authentication in form of a two-step login that relies on SMS codes. However, receiving one-time SMS codes requires a mobile phone. Not all users want to add a mobile phone number to their edu-ID account. Furthermore, SMS messages generally cannot be securely sent. There is always the risk that somebody else intercepts SMS messages. Some edu-ID users also want to use multi-factor authentication for all their edu-ID logins but without entering a one-time code several times per day.
To address the above issues reported by the community, we extended the edu-ID two-step login in the following three areas…

Continue reading “Multi-Factor Authentication Reinforced”

Trust & Identity WG Meeting / SWITCH edu-ID Update Event 2019

SWITCH invites you on Wed, 15 May 2019 to the 2nd Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event in Berne.

Registration is open until Tue, 7. May 2019 and required for logistical reasons.
Refer to the registration page for the draft agenda and schedule.

A longer section of the event is dedicated to SWITCH edu-ID. The heads of IT of University of Lucerne and Distance University will talk about their adoption experience.

Administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators and all persons involved in (future) planning and adoption of SWITCH edu-ID are invited to participate.

What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.

Switzerland’s E-ID Law clears further hurdles

Creating a new law is a long journey. We already featured several “making of” stages of the Swiss E-ID Law and the contributions of SWITCH in our E-ID category: consultation of an E-ID Concept in 2015, consultation of an early draft E-ID Law in 2017, publication of proposed law in 2018.

Another hurdle was recently cleared with the National Council approving the proposed law with relatively minor changes in March 2019 (for the interested: this business is referenced under 18.049). A minority wanted to change to government-issued Electronic Identities (eIDs), but the proposed market model was upheld.
Next step is the debate in the Commission of Legal Affairs of the Council of States in April 2019. In the absence of major changes, the law can be put in force in 2021.

Continue reading “Switzerland’s E-ID Law clears further hurdles”

Distance University too uses now edu-ID

On 6 March 2019, Distance University became the second university to switch to SWITCH edu-ID for authentication and access to its services. Here is an extract from their experience:

IT as a driving force

The project was primarily carried out by the IT department – supported by Marketing. All information had to be written in German and French. Student managers, who act as the first contact persons for teachers and students, were trained in advance by IT.

It took about 1.5 years from the initial discussions with SWITCH to the completion of the project. Distance University IT spent in total one man-month developing and testing the technical implementation. In addition, project management and communication were particularly time-consuming.

Information campaign as key

The Distance University launched an information campaign in the summer of 2018, thus persuading 75% of the university members to create an edu-ID account. The scenario “Linking before day X” was used for current users. The creation/linking of the account was simple and user acceptance correspondingly high.
Continue reading “Distance University too uses now edu-ID”

100’000 edu-ID accounts!


In the late evening of February 25th, a prospect student registered at ZHAW and thus created a personal SWITCH edu-ID account. This account turned out to be number 100’000 !

The SWITCH edu-ID team is very happy to see an increasing uptake of this new service. It is user-centric and centrally managed. It is assisting the universities and their IT departments in their daily work.

On every day in the past few months, about 200 new edu-ID accounts have been created on average. About 40% of the users actually link their edu-ID with their AAI account provided by university.

Btw: the prospect student has not yet responded to our call, so we couldn’t share this cake with her yet.

University of Lucerne – the edu-ID Pioneer!

On February 1st 2019 the University of Lucerne has made a big step. It is the first university that has completely switched over to the SWITCH edu-ID. All their roughly 4000 members use now their own secure, long-lived and user-centric SWITCH edu-ID account to access services relevant to the Swiss academic community.

The introduction of the edu-ID heralds a paradigm change in identity management for Swiss higher education. Users are getting more control over their personal data whereas universities can optimize their identity management processes. Fortunately, despite the fundamental architectural change, the impact on users is moderate.

“The migration to SWITCH edu-ID on 1 February 2019 went smoothly. Smaller problems after the migration were solved very quickly by SWITCH. Despite some obstacles in the course of the project, SWITCH provided us with competent support and assistance at all times.”
Marco Antonini, Head of IT

The first preliminary talks between University of Lucerne and SWITCH on edu-ID were held in September 2017. The idea behind the SWITCH edu-ID and, above all, the opportunities it offers in the future convinced the university right from the start. So they decided to change over relatively early. An important prerequisite, central user administration, was already in place, so that the concrete planning could be started.

As integration approach linking at registration was chosen for new students, and linking after admission for current members and future staff. With the integration of edu-ID in the organisational IT and the equipment of all members with an edu-ID identity the university has reached an important milestone. In a second step, further groups will be adressed namely alumni, auditors and further education students.

As the first organisation that completely changes over to SWITCH edu-ID, the university of Lucerne writes history. It can be rightfully proud of this achievement!

Technical Accounts

“Thou shalt not have more than one SWITCH edu-ID user account!” this is one of the commandments in the edu-ID terms of use. It originates from a need of the organizations to be able to unambiguously assign an edu-ID account to one person. But what can an organization or service operator do if it needs a special edu-ID account, e.g. for testing?

Continue reading “Technical Accounts”

Managing User Affiliation with the Organisation Administrator Interface

The edu-ID is a user-centric system in which users generally manage their account data themselves. And yet, some data relates to and is thus asserted by organisations like universities. Therefore, the edu-ID system provides several APIs for organisations so that they can manage data about users they are authoritative for. A new way to manage this data is the edu-ID administration interface for organisations, which is presented in this blog post.

Continue reading “Managing User Affiliation with the Organisation Administrator Interface”

Two or More Factors for edu-ID

A representative from a larger higher education organisation in Switzerland recently stated that they identify roughly 40 compromised user accounts on average per month. Extrapolating this number for  all Swiss AAI users, this number would grow to more than 1’000 compromised accounts per month. Many of them are probably not even detected. Many of them probably belong to young students who may not always take proper care of their credentials. But every now and then, also staff members and professors learn about the nightmares of impersonation of their digital identity. So, how can edu-ID support SWITCHaai services to enhance authentication security? Continue reading “Two or More Factors for edu-ID”

E-ID law: SWITCH contributing to parliamentary hearing

At its meeting on 1 June 2018, the Federal Council adopted a dispatch to Parliament containing a draft for an E-ID law (see corresponding press release in DE, FR and IT; for follow-ups see “18.049 Business of the Federal Council”).

The National Council’s legal commission now runs the business. On 15.11.2018, it held a hearing with representatives of industry, public corporations, potential providers of E-ID solutions and interested parties from civil society. As a potential provider, SWITCH was able to take part in this hearing.

This draft E-ID law largely follows the preliminary draft consulted last year (press release with link to consultation report at page bottom). It does not come as a surprise, therefore, that the position of SWITCH expressed towards the preliminary draft also applies to the new draft law – including the criticism voiced therein. Continue reading “E-ID law: SWITCH contributing to parliamentary hearing”

Microsoft Integration Demo


For many Higher Education Institutions in Switzerland, the integration of their identity and access management solution with Microsoft products is an important requirement. This also applies before / when adopting the SWITCH edu-ID. To this end, SWITCH has developed the necessary building blocks to demonstrate that such an integration is possible. This enables users to benefit from cloud offerings such as Office 365 or Microsoft Azure services with their usual login credentials.

The four demo use cases that were established are:

  1. A user from a cloud-only institution (without on-premises Active Directory) authenticates to Microsoft SaaS services, namely Office365
  2. A user from a hybrid institution (with on-premises Active Directory) authenticates to Microsoft SaaS services, namely Office365
  3. A user from a hybrid institution authenticates to a “modern” web app via SWITCHaai
  4. A user from a hybrid institution authenticates via Kerberos to a local application via his SWITCH edu-ID

Demo case 3 is straightforward, because SWITCH edu-ID is just a particular SWITCHaai Identity Provider (IdP) running the same software (Shibboleth) as most of the other institutional Identity Providers in SWITCHaai. Its consists of simply using the SAML 2.0 protocole which has been supported already for a long time by all SWITCHaai Identity Providers.

For the other demo cases, we had to integrate SWITCH edu-ID with Microsoft’s underlying cloud identity management system, the Azure Active Directory. In the following sections, we describe, how this can be done.

Implementation Components

To authenticate against Microsoft’s Azure Active Directory using a third-party Identity Provider like Shibboleth, Microsoft requires two non-standard -(SWITCHaai) attributes (or claims):

  1. ImmutableID
  2. userPrincipalName (UPN)

The first thing to do as a prerequisite is hence, to extend the current SWITCH edu-ID LDAP directory with an additional LDAP scheme containing these two attributes.

In order to provide these attributes, the SWITCH edu-ID Identity Provider configuration was extended with an attribute filter policy, releasing the attributes, and a fitting attribute resolver, loading the attributes from the underlying LDAP.

The second step is to exchange metadata between Microsoft Online and SWITCH edu-ID. Microsoft Online provides its metadata on a public URL, SWITCH edu-ID provides signed metadata as part of the SWITCHaai federation.

Then, Microsoft’s Online Services had to be configured for the Federated Authentication, forwarding all authentication requests for the covered domain(s) to the SWITCH edu-ID IdP.

The last necessary step was to provision the users in Azure Active Directory. This is necessary, because Azure Active Directory cannot provision a user on-the-fly based on a SAML assertion, and needs to assign a usage location and license to every user beforehand. Since this constitutes a transfer of personal information to Microsoft, it is recommended to let all users consent to this first.

In the case of hybrid institution, the users are synchronised from the institution’s on-premise AD to the Azure Active Directory via AAD Connect. In this case, the users’ ImmutableID attribute stored in the edu-ID LDAP directory needs to correspond to the ImmutableID used by AAD Connect. A mechanism for synchronising the ImmutableID and the userPrincipalName between the on-premise AD and the edu-ID will be made available soon.

In the case of the cloud-only institution, for each provisioned Azure AD user, an appropriate ImmutableID must be generated, stored in the edu-ID LDAP directory and synchronised with the Azure Active Directory.


Microsoft’s implementation lacks some features that are considered best-practice in Higher Education Identity Federations.
• The Microsoft Online metadata is unsigned, which is unusual in Higher Education Identity Federations, but they are provided over a https connection.
• A metadata aggregate cannot be consumed and automatic hourly reload of metadata is unsupported. Therefore, metadata changes from the federation have to be manually fed to Microsoft.
• Microsoft does also not support encrypted SAML assertions, forcing any Shibboleth Identity Provider interacting with it to disable encryption.

Final Thoughts

The authentication to Microsoft services via the SWITCH edu-ID is generally feasible, enabling organizations to keep a single identity and not needing to create a second set of credentials for Microsoft Office365 and other solutions. However, the security level, we are normally used to and is considered a best-practice in Higher Education Federations, had to be lowered a little bit.

Also, Microsoft’s requirements for interoperation do seem to differ from the Higher Education Interoperation Profiles and seem to change frequently without notice. Therefore, do not be surprised, if some information in the referenced documentation or in this article has become obsolete or outdated at the time you read it.


The steps defined here have been developed after consulting different sources. These were:

Submit your Sub-Project for Planning and/or Adoption!

In August we’ve submitted our last project application for Swiss edu-ID – the Deployment Steps 3 & 4 – to swissuniversities. Intended is a two-year project during 2019 and 2020 that contains just as before two parts:

  • further development of features (functional extensions) and
  • planning and adoption activities of universities (deployment).

In order to allow non-bureaucratic and more agile handling especially for the planning phases, universities can now requests for third-party funding twice a year and therefore can become much easier a project partner and start funded activities.

If third-party funding would be beneficial to your university, please consider to submit a sub-project on the following dates:

  • 30.11.18 (project start January 2019)
  • 31.5.2019 (project start July 2019)
  • 30.11.2019 (project start January 2020)
  • 31.3.2020 (if there is still funding available; project start May 2020)

You find the one-page application form on our project website.

The application must be addressed to SWITCH, but the same rules apply as for projects submitted to swissuniversities (at least 50% own funds, reporting etc.).*

Universities with no need for third-party funding can start a sub-project – in consultation with us – at any time.

Don’t hesitate to contact us and join the group of already 24 universities!

* NOTE: This procedure is subject to approval by swissuniversities (expected for December 2018)

Break and Enter

Have you ever invited professional burglars to break into your home to steal your valuables? For the edu-ID service we have done exactly that, and we even paid for it. The valuables in our case is identity data from all edu-ID users. However, the “professional burglars” were actually very kind, professional and skilled security experts from Compass Security.

Continue reading “Break and Enter”

Go for next Deployment Step

The project Deployment Step 2.2, submitted in February, is now approved by swissuniversities.

Participating Universities

From August on several universities will start the adoption planning, supported by federal funds in the framework of the Deployment Step 2 phase:

  • Berner Fachhochschule
  • Fachhochschule St. Gallen
  • Haute école spécialisée de Suisse occidentale
  • Hochschule für Technik und Wirtschaft Chur
  • Hochschule für Wirtschaft Zürich
  • Pädagogische Hochschule Bern
  • Université de Neuchâtel
  • Zürcher Hochschule der Künste.

The following universities plan the implementation of SWITCH edu-ID in 2018/19:

  • FernUni
  • Hochschule Luzern
  • Pädagogische Hochschule Schwyz
  • Pädagogische Hochschule Zug
  • Université de Lausanne
  • Universität Luzern
  • Universität St. Gallen
  • Zürcher Hochschule für Angewandte Wissenschaften.

The list of participating organisations is regularly updated and available at
Continue reading “Go for next Deployment Step”