Swiss edu-ID 2017 – 2020

SWITCH intends to fully deploy the Swiss edu-ID by the end of 2020, with almost all organisations migrated from SWITCHaai to Swiss edu-ID.
To this end, several organisations have already started, or will start migration strategy projects jointly with SWITCH. The aim of these projects is to plan the migration locally at the respective organisation as a first step.
An organisation which decides to start such a project should choose their most convenient time from a couple of possible dates (one starting point every year between now and 2020). steps_2017-2020
(details presented at update event in June)

This kind of projects might get funded by the program PgB5, which is organized by swissuniversities. The deadline for the next submission of projects is approaching (August 14, 2016).
Seven universities have already decided to start with the first step – the development of their own migration strategy by

  • analysing the specific system landscape and services at their organisation with respect to identity management,
  • evaluating additional benefits of a higher integration depth with the Swiss edu-ID (“migrated” or “integrated”),
  • choosing an appropriate migration scenario and planning of migration steps,
  • estimating the resource requirements of the migration, and
  • drafting their organisational Swiss edu-ID migration project plan.

The desired output of those migration strategy projects will be migration plans – or drafts thereof – for each participating organisation. Such a plan can then be proposed to the management of the organisation. If the university management agrees, a subsequent migration project (step 2), possibly funded again by PgB5, can then be submitted, targeting at actually adapting the existing infrastructure to the Swiss edu-ID service.

Final Report on Market Analysis of IdM Solutions

In SWITCHaai, identity management is entirely the responsibility of the organisations participating as identity providers in the federation. With its successor, the Swiss edu-ID, elements of identity management tasks will be performed by SWITCH. SWITCH has conducted a market analysis (RFI) with the aim to identify existing identity management products that fit the Swiss edu-ID requirements, to evaluate these products, and to make a recommendation on the next steps in the project.

Continue reading “Final Report on Market Analysis of IdM Solutions”

Trust in federated AAI: with a particular attention to SWITCHaai

SWITCHaai has a long and successful history in enabling access to hundreds of mainly academic web resources by reusing the authentication mechanisms at the heart of participating organisations.

When joining the SWITCHaai team a couple of years ago, I noticed two things about trust: a) it was just there, and b) no one talked about it. “Trust is established when no one talks about it anymore” someone said. It made me wonder how such a unique construction could be there and just work. There must have been many detailed questions that had to be resolved to get to that point! My curiosity was piqued, so, I started delving into this fascinating topic. How come all of these many service providers, identity providers, end users, organisations and federation partners, commercial or not, just do what the others would expect from them and don’t break trust?

Let’s start with an overview of the roles within an identity federation and their particular expectations towards each other and the federation as a whole. Continue reading “Trust in federated AAI: with a particular attention to SWITCHaai”

Swiss edu-ID Detailed Architecture available now

The Swiss edu-ID Team is happy to announce the first revision of the Swiss edu-ID detailed architecture. It is a thorough description of the Swiss edu-ID federation, its participants and their roles, the information architecture, data models and identity management processes.

The architecture was developed based on the output of Swiss edu-ID working groups, the Swiss edu-ID high level architecture, and numerous presentations and follow-up discussions with university members during the past years. On this occasion we would like to express our gratitude for the great effort and support in our community!

The draft of the architecture document was reviewed by the Processes II Workgroup, subscribers of the Swiss edu-ID newsletter and external identity management experts. Of course, comments are still welcome at any time.

The document (direct PDF link) can be downloaded from the document section of the Swiss edu-ID website.

RFI on Swiss edu-ID IdM open

As announced the phase of the survey conduction has started and the RFI documents have been sent to interested participants 4th of May.
The RFI documents are published on the Swiss edu-ID website.

Deadline for RFI answers is May 22nd, 2016.

By June 1st the most promising participants will be determined and invited to a presentation workshop.
Workshops will take place from June 6th until 10th.

RFI on Swiss edu-ID IdM

With a Request for Information (RFI), SWITCH wants to gain an overview of Identity Management solutions, including Open Source, on the market today that may fit Swiss edu-ID requirements.

Today potential providers of an IdM solution for Swiss edu-ID have been invited to participate in the Request for Information. The invitation and additional information on the Swiss edu-ID environmental fit are published on the Swiss edu-ID website.

Companies should express their interest explicitly to no later than May 3rd, 2016, and provide the E-Mail address of the intended RFI recipient.
The RFI will be distributed no later than May 5th, 2016, and answers to the RFI are expected no later than May 22nd, 2016.

eduKEEP: Promoting the Swiss edu-ID Concept Internationally

With the Swiss edu-ID SWITCH will introduce many new features and enhancements to the already well established SWITCHaai service. However, one aspect is not just an improvement, but rather a paradigm shift: the change from organisation-centric to user-centric identity management.

Continue reading “eduKEEP: Promoting the Swiss edu-ID Concept Internationally”

AAI & Swiss edu-ID Update Event 2016

Thursday 30 June 2016, Berne

Details & Registration

Would you like to know more about the

  • current status of AAI and interfederation
  • OpenID Connect
  • Multi-Factor Authentication
  • Single logout with IdPv3

or more about the

  • Swiss edu-ID architecture
  • new pilots and use cases
  • integration and follow-up project plans ?

Then we would like to invite you to this event with an AAI Update in the morning (10:15 – 12:00)
followed by a Swiss edu-ID Update in the afternoon (13:15 – 16:15).


Release Attributes for Science!

LIGO, the Laser Interferometer Gravitational-Wave Observatory, recently announced that their project had detected ripples in the fabric of spacetime, proving a prediction made 100 years ago by Einstein. Many teams collaborated to ensure this result, and behind the scenes, they rely on effective federated identity management.

What this means, in the simplest terms, is scientists rely on the ability of research services to get attributes about their users from their Home Organisations. However, as REFEDS (Research and Education Federations) points out in an important blog entry, this is not at all smooth sailing.

Continue reading “Release Attributes for Science!”

Are you aware of other eID initiatives?

This is one of the questions we answer quite often – and the answer is “yes”. Of course we do observe initiatives within Switzerland (mainly eGovernment related) and abroad, and including international projects with common tasks and possible synergies. In addition to simply monitor what others do, we build relationships, exchange know-how, evaluate eID initiatives of other National research and education networks (NRENs), provide advice for groups who only yet start with federation projects, and SWITCH is active in international projects as GEANT.
Hereafter you find some examples of initiatives and projects, their goals and concepts, common activities (if any), and some ideas about common interests or possible synergies.

Continue reading “Are you aware of other eID initiatives?”

OpenID Connect meets SAML and Shibboleth

Will the up and coming OpenID Connect (OIDC) displace the established Security Assertion Markup Language (SAML)? In some domains, it already has, thanks to the wide availability of implementations for many programming languages. It also offers an easy solution for delegating access to protected resources, something that is possible with SAML but more difficult to realise, and is a typical use case for mobile applications today. However, OIDC has no concept of a “federation”, i.e. a private group of entities who trust each other, and that is a big drawback to adoption in a federated context like research and education. In this article, we will look into a few initiatives that seek to bridge the gap between the two realms. Continue reading “OpenID Connect meets SAML and Shibboleth”

AAI & Swiss edu-ID Update 2016

Save the Date: Thursday 30 June 2016

This year the joint update event of SWITCHaai & Swiss edu-ID will take place for the third time – this year a little bit earlier – already dated June 30, as ever in Berne.

Note the date in your agenda for this all-day event where you will get up-to-date information about SWITCHaai, Swiss edu-ID version 2.0  and migration scenarios, as well as having opportunities for exchange with IdM/IAM specialists and service responsibles of other institutions.

Registration information follows later in this blog, AAI mailinglists and the Swiss edu-ID newsletter (

Apache Access Control Reloaded

How to ensure that only staff members of my group in my organisation can access team documents via the web and only if they are connected via the organisation’s office network? And how to implement this without writing code? Thanks to Apache, Shibboleth and a SAML-based federation like SWITCHaai, these not so uncommon real life requirements are easy to implement. At least, once one has understood how user attributes can be used for access control. This blog entry demonstrates how to create such access control rules. Continue reading “Apache Access Control Reloaded”

Bye-bye Guest IdP – Welcome Swiss edu-ID

Since February 2012, SWITCH has operated the Guest Login Identity Provider (Guest IdP), which allowed users without a regular AAI account to access certain services. The Guest IdP has also allowed what was otherwise not possible with SWITCHaai: a quick and easy self-registration to access AAI services.

Continue reading “Bye-bye Guest IdP – Welcome Swiss edu-ID”