Extended Attribute Model

With the classic attribute model a service can get one part of an edu-ID identity at a time. There may be cases where a service requires extensive attribute information from multiple home organizations simultaneously. In such cases, a service can be configured for the edu-ID only model and additional attribute information is collected through the affiliation API.

Getting more attributes via Affiliation API (backchannel)

If a service needs access to more attributes from current affilations (the red dashed boxes in the diagram), the procedure is as follows:

  • from the list of organizational unique-IDs (swissEduIDLinkedAffiliationUniqueID) the service extracts the individual unique-IDs
  • for each organizational unique-ID the service requests the attributes of the associated current affiliation by issuing a GET request on the affiliation API

Currently, accessing the attributes in former affiliations is not supported.

Important note: Backchannel access is 1) exclusively available to services operated by swiss higher education organizations, and 2) only if no alternative approaches exist. SWITCH reviews each request to use the backchannel, and reserves the right to deny access to the backchannel.

Usage policy for services with extended attribute model

Backchannel attribute requests may take place out-of-band without user interaction which means that the IdP can't ask for a user's consent before sending attributes to the service.
Such services are therefore obliged to request and obtain the consent of the end user about the recurring transfer of their data from the SWITCH edu-ID IdP (e.g. in their own terms of use).
The SP operators are obliged to inform the end user that they will query or update their data without the end user being online or involved.
SWITCH grants access to an API for such a purpose only to services that meet these requirement (according to the Service Description).