Deployment Information for Federation Partners

While the page on how to become a Federation Partner outlines the legal aspects of joining SWITCHaai as a Federation Partner, this page provides an overview on how to install and configure one or more SAML Service Providers (SP) and register them as Resources in the SWITCHaai Federation, preferably using the open-source software Shibboleth.

Technical steps

  1. SAML AAI Demo (optional)
    If you are not yet familiar with the principle of federated identity management, you may have a look at our AAI demo page. This usually helps people who are new to SAML to understand some basics about federated identity management and how SAML works.

  2. Federation Interoperability Profiles
    Checkout these two documents from Kantara. If your SAML service provider uses software implemented according to the first document and you deployed it according to the second document, interoperability with the IdPs in the SWITCHaai federation will be no issue. Otherwise, it is unlikely that your SAML service provider will properly interoperate:
  3. Certificate
    In order to participate in SWITCHaai you need a certificate, used for the SAML communication. SWITCH recommends to use a self-signed certificate. Most X.509 certificates used for web servers can be used as well.
    For the details, check out the certificate acceptance rules.
    In case of questions, contact the SWITCHaai Team.

  4. Data protection
    AAI Attributes are the common basis on which two communicating entities are able to share information they know to interpret identically. The resource owner's first and foremost duty regarding attributes is privacy and data protection. For user privacy only request as few attributes as needed.

    For publishers, the attributes eduPersonEntitlement in combination with the IdP's EntityID or the swissEduPersonHomeOrganization should be sufficient in most cases.
    The attribute eduPersonEntitlement contains the value urn:mace:dir:entitlement:common-lib-terms for all university members authorized to access licensed content from publishers.

    For other Federation Partners, if you need a user identifier please use the persistent ID value you get with SAML persistent NameID. Attributes often needed to decide whether a person gets educational discount for a shop operator are the attributes swissEduPersonHomeOrganizationType and eduPersonAffiliation or eduPersonScopedAffiliation.
    If you have any questions regarding attributes or you think you require more attributes, please contact us.

  5. Installing a Shibboleth Service Provider (SP)
    SWITCH provides deployment guides to install Shibboleth for several platforms (Linux, Windows). You find them on the Service Provider Deployment page.
    They describe how to configure a Shibboleth Service Provider for the production SWITCHaai Federation.

  6. Register Resource
    Finally, the Resource has to be registered with the Resource Registry.
    In order to register with the Resource Registry, the technical contact person should self-register a personal SWITCH edu-ID account. Further technical contact persons can self-register their own personal accounts. The first administrator can invite them all to adopt the role as resource administrator to be able to further modify the Resource entry in the Resource Registry.
    Once the Resource is registered by this technical contact person and approved by the sponsoring SWITCHaai Participant from the SWITCH Community, the published metadata will contain a description of your Resource. Thus, all SWITCHaai Identity Providers will know the new Service Provider as soon as they refresh their metadata the next time. This happens once per hour.


If you have any questions or problems, feel free to contact us by email

Stay up-to-date

All administrators of Service Providers in the SWITCHaai federation are expected to subscribe to the AAI-Operations mailing list, where SWITCH is making announcements about important changes in the federation.
Furthermore, it can be useful to subscribe to the Shibboleth Announce mailing list, which is used by the members of the Shibboleth Project team to announce new releases or send out security advisories.