What does it take for a university to adopt the SWITCH edu-ID? This is the question SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) are addressing in the project “Swiss edu-ID Deployment Step 1” as part of swissuniversities’ program «Scientific information». The project advanced nicely and would justify an article on its own. But let’s draw your attention to an interesting side product of this project: we learned how electronic identities are managed in our community – and how the approaches are evolving over time and why.
Authentication for Windows services using SWITCH edu-ID?
Are you running a Microsoft Windows Service (e.g. Sharepoint) with non-public content connected to your organisational Active Directory (AD)? Do you want to make content available to specific external users, e.g. users with a SWITCH edu-ID? This article is for you.
While Windows Authentication remains based on Active Directory Servers, the gap between the Windows and the Shibboleth world has become bridgeable, thanks to new features in ADFS 2016.
Imagine yourself running some Microsoft Windows service such as a Sharepoint instance. You probably need to configure external authentication. This is, and always was, straightforward if you can attach Active Directory Servers to the Sharepoint instance. However, it used to turn out a bit more cumbersome if you wanted to base your external authentication on a non-Windows service like e.g. a Shibboleth IdP[1]. In short, supporting regular SWITCHaai was difficult for Windows services.
Thankfully, this has changed. ADFS 4.0, being a part of Windows Server 2016 has improved interoperability with SAML 2.0, which allows for use of a Shibboleth IdP when serving authentication requests from Windows services.
Peter M. Studer, one of the Identity Management (IdM) specialists at the University of Bern, has recently posted a blog (in German), which explains in detail how to deploy an ADFS server as a proxy to an IdP within SWITCHaai, in particular as a proxy to the SWITCH edu-ID IdP.
We find this step-by-step tutorial extremely helpful and will set up an appropriate proof of concept locally. This may be a first step towards integration of SWITCH edu-ID authentication for Windows services. If you are interested in learning more about the proof of concept, please contact us!
[1] IdP: Identity Provider
P.S.: There’s – at least – one more thing that has to be sorted out before such an idea can go into production: the metadata signature check. Any resource in a federation needs to properly link into the trust chain, something which is well prepared for resources based on Shibboleth software, but can be hard for others – yet.
SWITCH edu-ID Now Speaks Italian
The user interface to create and manage a SWITCH edu-ID account was originally available in English. It was translated to French and German half a year ago.
We are happy to announce that the Italian translation of the user interface is ready and can be used as of today.
Together with the Italian user interface we have also translated and released the SWITCH edu-ID terms of use in French, German and Italian.
If you have comments or suggestions for translation enhancements please don’t hesitate to contact us.
SWITCHaai: 1’000 services registered
Last week, the number of services registered in the SWITCHaai federation crossed the 1’000 line for the first time.
When the Università della Svizzera italiana, Damiano Bianchi (Servizio informatico TI-EDU) registered the ‘USI Library service’ (the 21st service of USI), this new service became the 1’000th SP available in the SWITCHaai federation.
Consultation on draft of federal E-ID law
At its meeting on 22 February 2017, the Swiss Federal Council opened a consultation on legislation on electronic identification (E-ID law, see announcements: DE, FR, IT). The consultation ended 29 May 2017.
SWITCH participated in this consultation and confirms the importance of a well-functioning and generally accepted E-ID. The identity service SWITCH edu-ID/SWITCHaai could potentially benefit from such an E-ID legislation: either to start offering an E-ID function itself, or by consuming E-ID services. Such use cases – from SWITCH and from other parties – may become important drivers for the spread of E-ID beyond pure e-government applications and for the emergence of an general-purpose E-ID ecosystem.
After evaluating the proposed delivery model in the draft E-ID-law, SWITCH proposes its revision. To ensure swift implementation and to reduce risks and complexity, SWITCH urges that the proposed market model be abandoned in favour of an implementation by the Swiss Confederation itself or by mandating it to a third party.
If the market model is to be pursued nevertheless, SWITCH proposes the use of a multi-stakeholder expert group to resolve the many open questions arising from the draft. If this group can not achieve its objectives, the market model is to be abandoned once and for all in favour of the proposed government-driven implementation model for an E-ID.
You are invited to read the full answer of SWITCH to the consultation (in German): 20170529 Vernehmlassungsantwort SWITCH E-ID-Gesetzesentwurf.
Bye-bye Cloud ID – Welcome SWITCH edu-ID
About 27,000 people have got mailing from the SWITCH edu-ID team April 19:
Instead of their former Cloud ID account, SWITCH edu-ID would be used as from 1st May 2017 in order to access the services SWITCHdrive and SWITCHengines.
But how should the vast majority of those users, who did not already have a SWITCH edu-ID account, come to such an identity?
Changeover without effort for 98% of users
The usual way to generate a SWITCH edu-ID account is self-registration – this in line with the principle of user centrism. However, in this case the new accounts were generated automatically in order to spare users effort.
Users who have linked their SWITCH edu-ID account with their existing AAI account(s) have substantially facilitated proper account assignment and account aggregation during conversion. Continue reading “Bye-bye Cloud ID – Welcome SWITCH edu-ID”
Partner event: EduID Mobile App Architecture meeting on 25 April 2017
The “digital transformation” has strong effects on how individuals interact with each other through the use of services – and it adds some challenges to the service operator’s agenda. One such challenge is to deploy consistent identity management across all the devices the “digitally transformed” user may choose from.
For over a decade, SWITCHaai streamlines the user’s (and also the service operator’s) experience by offering a consistent identity management framework across a wide range of web-application services. SWITCH edu-ID is extending this framework to reach beyond web-applications and to also seamlessly integrate with mobile apps.
The project Swiss edu-ID Mobile App (part of swissuniversities’ program “Scientific information”) aims at developing a novel approach to this challenge.
The eduhub Special Interest Group SIG Mobile Learning will discuss this approach and contrast it with other approaches. Interested app developers and service providers are encouraged to register for the event by answering this Doodle poll by 19 April the latest.
New SWITCH Story “Leading the way in identity management”
Comfort or discomfort? In our increasingly user-centric world, this is a key success factor of basically any solution. Read more about the contribution of SWITCH edu-ID to the Swiss Personalized Health Network (SPHN) that will aim to harmonise the various types of data and information systems and make it possible to exchange data for research purposes.
New SWITCH story “SWITCH edu-ID picks up pace”
Read more about the transition of the Swiss edu-ID project to operation in 2017 (SWITCH edu-ID service), its features, initial practical experiences and migration planning that has started with seven universities.
Swiss edu-ID Update Event 2017
Save the date: Thursday 29 June 2017
The focus is put this year on an update about the project Swiss edu-ID and the service SWITCH edu-ID, whose deployment starts in 2017.
Note that no SWITCHaai specific topics are foreseen.
The event will take place June 29 , 11:00 – 16:15, in Berne at UniS, Schanzeneckstrasse 1, room A-126.
Preliminary Programme:
11:00 – 12:00 SWITCH edu-ID for beginners (for people not already familiar with SWITCH edu-ID)
12:00 – 13:15 Arrival for afternoon participants and Lunch
(afternoon participants are warmly welcome to take lunch with us)
13:15 – 14:30 Pilots and current project status
14:30 – 14:55 Coffee break
14:55 – 16:15 Status Migration Strategies, roadmap and next steps
16:15 End of event
Update 2016-06-01: Registration site with updated agenda
Project approval for “Swiss edu-ID Deployment Step 1”
Back in August 2016, SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) applied for project funding through in the framework of the P2/P5 programme of swissuniversities. Regular readers of our blog might remember, that we wrote about the submission and the nature of the proposal in the blog post Project for Deployment Step 1 in 2017 submitted which you are encouraged to re-read.
We are delighted to share with you the good news that this project received green light from the “Comité de pilotage du programme CUS P-2” at their meeting on 5 December 2016. This is good news for SWITCH and the university community as well as their stakeholders, as it marks the first of four “deployment steps” to implement the Swiss edu-ID roadmap until 2020.
This week, we received the formal approval letter annexed with an assessment note and additional obligations, which mean some additional homework for SWITCH (clarifications, reporting and project management obligations, as well as accommodating a cut in overall spending). Another good news for our project partners: these obligations are not impacting our partners’ work packages nor do they affect the support they receive from SWITCH.
We are looking forward to start the process of entering the deployment phase of the Swiss edu-ID roadmap and rolling out the SWITCH edu-ID service until 2020.
Advanced Access Management with SWITCH edu-ID
The SWITCH aai identity federation is based on one important concept: The separation of identity management (IdM) and access management (AM). Identity providers are trusted sources of a set of well defined attributes. For each user trying to access a service, the service itself decides based on his/her attributes if access to the service is granted or denied.
The identity provider in its purest form only manages general user information like name, age, email address, membership status at a university etc. This information is general and not specific to services. The service specific part is the way how attribute information can be combined by a service to build complex access rules like: “This service accepts math students and staff members”.
What if a group of services needs to share additional information about a user that is not part of the standard attribute set? For this case SWITCH has developed the shared attribute service for the edu-ID.
The shared attribute service consists of a database where additional attributes can be stored for each SWITCH edu-ID user. The contents of this database are not managed by the SWITCH edu-ID Identity Provider. Some external entities can access to the shared attributes database via an API, and set or delete attribute values for selected edu-ID users. When a user accesses to a service provider the shared attribute for that user is added to the standard attributes and sent to the service.
What effectively happens with shared attributes is that one part of AM (the part that is common to a group of services) is extracted from the services and centralized
First application: National Licences
The first application to use shared attributes is the National Licenses service. In the context of the national licenses some publishers grant access to users who satisfy a complex access rule. The user has to be a Swiss citizen, has to accept specific terms, must have been active during the last year and must not be blocked due to service abuse.
A specially developed national licenses service registration platform checks if a user meets all the requirements of a user. If the user does meet the requirements, the flag national-license-compliant is set in the shared attributes database for that user. Consequently, services participating in the national licenses program get the additional attribute and grant access to licensed publications.
If a user does not meet all requirements, the national-license-compliant flag is removed. The user gets an explanation on the registration service and some indications how he or she could re-gain access to the national licenses program.
Note: The shared attributes service has been developed by SWITCH to solve a specific problem and to gain experiences with the concept. It is possible that the service will be replaced in the future by a more general group management service.
SWITCH edu-ID Branding
Services use SWITCH edu-ID as authentication mechanism for their users. Universities use SWITCH edu-ID to onboard new students or staff members. Branding is a great new feature to integrate the SWITCH edu-ID into services and to improve the user experience.
From project to service – introducing the SWITCH edu-ID service
Autumn 2013. Big things start small. An interuniversity working group captures floating ideas around user-centric identities, puts those ideas into a roadmap and proposes a name for it: Swiss edu-ID. The resulting document becomes one cornerstone of the national strategy, approved by the Swiss University Conference in April 2014. But it also marks the beginning of SWITCH’s efforts to implement the proposed Swiss edu-ID roadmap. swissuniversities supports this collaborative effort of SWITCH and the Swiss universities including their libraries.
Autumn 2016. The pilot service Swiss edu-ID V1.0 is around for well over a year. It allowed us to gain first operational experience in numerous pilot projects and a much clearer picture of what is yet to come. We also learned that some services start to rely increasingly on the availability of Swiss edu-ID, while others care more for the latest feature. Time is ripe to give both a home.
This is why SWITCH starts to use a new, distinct branding for the operational service emerging from the Swiss edu-ID project. The new branding honors the roots by keeping “edu-ID” in its name, but it also shows its operational home, adheres to the service naming guidelines of SWITCH and receives proper legal protection. The user-centric identity management service of SWITCH will be called the SWITCH edu-ID service.
You might notice in the not so distant future, that a new service will pop in the service catalogue of SWITCH, or that the “edu-ID login window” will look slightly different. But one thing won’t change: in its heart, the SWITCH edu-ID still carries those ideas captured in autumn 2013 by an interuniversity working group.
Real SSO feeling through the SPNEGO/Kerberos Login Flow for the Shibboleth Identity Provider v3
Windows users can now extend their SSO feeling to the SWITCHaai login page, provided their client is a member of a Windows domain. They no longer need to re-enter their username and password they’ve already entered to log in to the Windows desktop. Actually, Kerberos enabled non-Windows clients like Linux or Mac could profit of such enhanced SSO, too.
The Shibboleth Identity Provider (IdP) achieves this through SPNEGO-based Kerberos authentication (i.e. password-less web authentication via Kerberos). While version 2 of the Shibboleth IdP supported this through an extension, the Shibboleth IdP version 3 provides built-in support through the SPNEGO/Kerberos Login Flow authentication mechanism.
The SPNEGO/Kerberos Login Flow module was developed in co-operation by SWITCH and the Fachhochschule Nordwestschweiz (FHNW). As the FHNW already developed the extension for the IdP v2, they brought their existing experience into the project to re-implement the same functionality for IdP v3. Eventually, the SPNEGO/Kerberos Login Flow got an integral part of the Shibboleth Identity Provider version 3.2.0 in November 2015 and has been available since then.
The SPNEGO/Kerberos Login Flow has proven to run successfully on the IdPs of the Fachhochschule Nordwestschweiz and the Pädagogische Hochschule Bern, since these IdPs were migrated to IdP v3.
To use the SPNEGO-based authentication, the following prerequisites must be fulfilled:
- A Kerberos infrastructure must be available (e. g. a Windows domain).
- The IdP server must be registered as a Kerberos service at the Kerberos Key Distribution Center (KDC).
- Kerberos client software must be installed on the IdP server.
- The Shibboleth Identity Provider software must be configured accordingly.
- The web browsers on the clients require specific configuration to use this authentication method.
Organisations being interested in using the SPNEGO-based authentication on their own IdP can find comprehensive documentation in the Shibboleth Wiki: SPNEGO/Kerberos Login Flow
SPNEGO-based authentication is also offered as an option to the Identity Provider Hosting service provided by SWITCH.