SWITCHaai Metadata

The metadata describe Identity Providers (IdP) and Service Providers (SP) of the respective federation. The files are updated hourly, usually every full hour.

SAML 2.0 metadata

The federation metadata files are digitally signed with the SWITCHaai Metadata Signer certificate. This certificate chains to the SWITCHaai Root CA certificate which should be configured as the trust anchor for PKIX-based validation of the metadata signature.

Configure the above listed eduGAIN interfederation metadata feed only if your SP or IdP is registered in the SWITCHaai federation and if it is interfederation enabled so that its metadata gets published via eduGAIN.
In case your service is registered in some other federation, ask its federation operator which feed to configure.

Update of Federation Metadata

AAI-enabled systems in the SWITCHaai federation are requested to update the metadata at least daily. Hourly updates are strongly recommended in order to support fast propagation of metadata changes.

Instructions for configuring the above metadata with an automatic hourly refresh and signature validation based on the SWITCHaai Root CA trust anchor can be found in our SP deployment guide and the IdP deployment guide, respectively (MetadataProvider elements in the XML configuration files).

If the SP or IdP downloading metadata is behind a firewall or proxy, please be aware that the IP address of the metadata.aai.switch.ch host may change without notice. Creating IP-based filter rules is therefore discouraged. Instead, we strongly recommend configuring the SP to use a proxy with the <TransportOption> element or the IdP to use a proxy.

Special Use Cases

SWITCH edu-ID IdP Metadata only

The following metadata files get updated and are digitally signed the same way as the standard metadata files above.

If you use an ADFS SP, replace 'http' by https' in the above listed links.
ADFS ignores the digital signature embedded in the metadata file but insists on downloading the file from some https location.
Please note: After adding the link as 'Claims provider's federation metadata URL' ADFS will present you the warning
"AD FS Management: Some of the content in the federation metadata was skipped because it is not supported by AD FS. Review the properties of the trust carefully before you save the trust to the AD FS configuration database." .
Ignore this warning. Unfortunately, ADFS does not log any details which elements its XML parser skipped.

Metadata Signed with 2025 Signer Certificates

From 14 May 2025, the SAML metadata will be signed with new Signer Certificates which in turns are signed by new Intermediate CAs. The SWITCHaai Root CA remains the same.
All metadata files listed in the previous sections will change the issuer of the signature on 14 May 2025.
We've already started signing the metadata files with the new Signer Certificates. We provide them via the alternative links listed below.
Services which are not capable of verifying a chain of trust up to the SWITCHaai Root CA have two options:

• They need to be adjusted on 14 May 2025 to trust the new certificates at the same time we start signing the metadata with them.
• They are adjusted before this date to use the alternative metadata files provided below, which are signed with the new Signer Certificate.

Please find below a list of links to metadata files signed with the new certificate. Note that from 14 May 2025 on, these files are equivalent to those you find earlier on this page.
For more information about the Certificates used, visit the SWITCHaai Root CA Repository page.