edu-ID Login Process

One of the key functions of an identity federation is that services do not authenticate their users themselves. Authentication is delegated from the service to the IdP.


edu-ID Authentication Flow


If a user desires to access a service, the following steps take place

  1. Depending on the configuration or the service, a discovery service is presented to the user. The user selects the IdP, where the login procedure can proceed.
    In the long run, when most swiss universities have integrated SWITCH edu-ID, the discovery service will become partially obsolete or may be integrated in the edu-ID IdP.
  2. When a user is redirected to the edu-ID IdP, the first thing she has to do is to verify her identity by authenticating.
    If the user already has a valid session, this step may be skipped thanks to the single sign on (SSO) mechanism.
  3. Depending on various conditions (service configuration, user settings, session state etc.) strong authentication may be required. In such a case, the user may be required to apply two-step login (two or multi factor authentication).
  4. If a user has multiple affiliations, she may be asked to select one of her affiliations in the affiliation chooser before proceeding to the service.
  5. Before any user information is sent to the service, the the user is asked for her consent. This step can be disabled by the user for each service.
  6. Based on various criteria the user can be notified to read some information, to complete the account or to perform anoter action.

All of the above described steps are potentially optional. In not so rare cases the user can directly access a service without IdP interaction because steps 1. to 5. are either skipped or implicitly completed by the IdP.