SWITCHaai Metadata
The metadata describe Identity Providers (IdP) and Service Providers (SP) of the respective federation. The files are updated hourly, usually every full hour.
SAML 2.0 metadata
For IdPs: https://metadata.aai.switch.ch/metadata.switchaai+sp.xml contains only SPs
Legacy: https://metadata.aai.switch.ch/metadata.switchaai.xml contains all IdPs & SPs
For IdPs: https://metadata.aai.switch.ch/metadata.aaitest+sp.xml contains only SPs
Legacy: https://metadata.aai.switch.ch/metadata.aaitest.xml contains all IdPs & SPs
The federation metadata files are digitally signed with the SWITCHaai Metadata Signer certificate. This certificate chains to the SWITCHaai Root CA certificate which should be configured as the trust anchor for PKIX-based validation of the metadata signature.
For IdPs: https://metadata.aai.switch.ch/entities/interfederation+sp contains only SPs
Configure the above listed eduGAIN interfederation metadata feed only if your SP or IdP is registered in the SWITCHaai federation and if it is interfederation enabled so that its metadata gets published via eduGAIN.
In case your service is registered in some other federation, ask its federation operator which feed to configure.
Update of Federation Metadata
AAI-enabled systems in the SWITCHaai federation are requested to update the metadata at least daily. Hourly updates are strongly recommended in order to support fast propagation of metadata changes.
Instructions for configuring the above metadata with an automatic hourly refresh and signature validation based on the SWITCHaai Root CA trust anchor can be found in our SP deployment guide and the IdP deployment guide, respectively (MetadataProvider
elements in the XML configuration files).
If the SP or IdP downloading metadata is behind a firewall or proxy, please be aware that the IP address of the metadata.aai.switch.ch
host may change without notice. Creating IP-based filter rules is therefore discouraged. Instead, we strongly recommend configuring the SP to use a proxy with the <TransportOption>
element or the IdP to use a proxy.
Special Use Case
SWITCH edu-ID IdP Metadata only
The following metadata files get updated and are digitally signed the same way as the standard metadata files above.
If you use an ADFS SP, replace 'http' by https' in the above listed links.
ADFS ignores the digital signature embedded in the metadata file but insists on downloading
the file from some https location.
Please note: After adding the link as 'Claims provider's federation metadata URL'
ADFS will present you the warning
"AD FS Management: Some of the content in
the federation metadata was skipped because it is not supported by AD FS.
Review the properties of the trust carefully before you save the trust to
the AD FS configuration database." .
Ignore this warning. Unfortunately, ADFS does not log any details which elements its XML parser skipped.