Sending Users on the Right Path

In a previous blog post we presented how AAI Service Provider (SP) administrators can customize the edu-ID registration and login pages individually for their service. However, an SP administrator can not only brand the edu-ID pages with a custom logo or custom text but he can also influence the process itself used when users register, login or when they complete their account data. Examples of such process modifications are:

  • To send a user automatically to a specific URL after registration or login
  • To make a user first provide a specific verified or unverified attribute (e.g. mobile number or home postal address) and then send him back to the service

Both of these example scenarios have been used for instance by the Swissbib service for several months. Swissbib users sometimes have to provide a verified mobile number and/or postal address before they get access to national license content, which – by agreement – should be only available to residents of Switzerland.

So, how can an AAI SP administrator customize the edu-ID processes to implement the above and more scenarios? All that is needed is to send the user on the right path, or rather to the right URL. For all those not wanting to get familiar with the technical details of how these URLs have to be composed to achieve a certain process change, we have created a useful tool that makes the URL generation very easy: The edu-ID Login Link Composer.

Screenshot edu-ID Login Link Composer

Screenshot of edu-ID Login Link Composer

The edu-ID Login Link Composer consists of a form with several inputs that are used to generate a link which triggers the requested behaviour. The user then just has to be sent  to the generated URL to start the process.

Try out the edu-ID Login Link Composer with your own AAI service.


SWITCHaai Transition to Shibboleth Identity Provider v3 is 80% complete

Back in May 2015, the Shibboleth Consortium announced July 31st 2016 as end-of-life date for the IdPv2 code base. A redesigned IdPv3.1.1 is available since March 2015. One month later, SWITCH announced the initial version of the SWITCHaai specific IdPv3 installation guide. In June and September 2015, SWITCH offered well-attended IdP training courses [4] on how to configure IdPv3. Since then, the number of IdPv3 installations has gradually increased to the 80% level it reached just at the beginning of the autumn semester 2016.

The vast majority of the IdP administrators have installed, configured, tested and finally integrated the new version into their production environment. A big thank you to all of them that they gave their time to upgrade. Many administrators provided us valuable feedback on the IdP installation guide so that we could continuously improve it over time.
Several organizations decided to adopt the IdP Hosting service SWITCH offers instead of upgrading their own local installation. Today, SWITCH runs 17 production IdPs on our IdP hosting platform, including the ones for Swiss edu-ID, the Virtual Home Organization (VHO) and the IdP for the SWITCH staff members.

From about half of the remaining eleven IdPv2 instances we know that they will migrate to IdPv3 in the next few weeks. So hopefully by the end of 2016 almost everyone will have completed the transition.

The US InCommon Federation from time to time analyses the metadata of the eduGAIN interfederation service and publishes an interesting statistic on how many of the interfederation enabled IdPs are based on the Shibboleth open source software and run on IdPv3 or still on IdPv2. These numbers show that the percentage of IdPv3 in SWITCHaai is pretty high compared with most other federations listed.


Apache Access Control Reloaded

How to ensure that only staff members of my group in my organisation can access team documents via the web and only if they are connected via the organisation’s office network? And how to implement this without writing code? Thanks to Apache, Shibboleth and a SAML-based federation like SWITCHaai, these not so uncommon real life requirements are easy to implement. At least, once one has understood how user attributes can be used for access control. This blog entry demonstrates how to create such access control rules. Continue reading


Simplify Shibboleth IdP Debugging: Quickly Identify Related Log Entries

Why isn’t it possible to easily identify all log messages belonging to particular user that authenticated at a Shibboleth Identity Provider?” This question was asked at the SWITCH Shibboleth Training in June 2015. Many other Shibboleth Identity Provider (IdP) administrators acknowledged they miss such a useful feature too. It would make debugging Shibboleth login issues easier since parallel user logins at the IdP result in many log entries that become a challenge to analyze. By default, the IdP does not provide enough log information to identify all related log entries  for a particular login attempt.

The answer to this question is: This is possible! It’s in Shibboleth already and it’s easy to use but it is a bit hidden. There are two key ingredients needed to activate this.

Continue reading