OIDC Affiliation Identity - Test

The edu-ID is introducing the Affiliation identity model for OIDC according to the RFC. The feature is not yet rolled out in the production federation, but can already be tested in the test federation.

This page provides a simple set of instructions such that you can test the feature yourself before production release.

Creating Test Account with Affiliations

In order to properly test the feature, you need an account in the edu-ID Test federation which you can create on https://test.eduid.ch if you don't have it yet. You can then add test affiliations to your account as described here.

Testing the flow with the Attribute Viewer

If your want to test the feature from an end-user's perspective, you can do so for instance on the attribute-viewer service which can be used for testing what attributes are released in which case. Note that this client is configured to accept identities from each provider.

You can test a login with your test account by accessing the Expert View of the Attribute Viewer and in the Section "Login with OpenID Connect" clicking on "Login with SWITCH edu-ID Test". This will initialize a login in the Test Federation using OIDC.

After entering the credentials of your test account, you are asked to select the identity you want to use to access the service. If you don't have any affiliations, the personal identity is choosen automatically.

Afterwards, you will see the claims the services has received. They correspond to the identity that has been chosen.

Testing with your own client

If you want to test the feature from the perspective of a client, you can do so by either using an existing client of yours in the Test Federaiton or by creating a new one. The client can then be configured to only accept certain identities.

Register your client in the Resource Registry

If you need to register a new client, you can do that in the Resource Registry. Go to https://rr.aai.switch.ch/menu_res_options.php, click "Add a Resource Description" and choose "OpenID Connect resource". Make sure to choose "Switch edu-ID [Test]" as approving home organisation in the "Basic Resource Information" form so that it is registered in the Test Federation. Follow the whole registration process and read the instructions carefully. More information can also be found in our OIDC documentation with all its subpages.

Specifying intended audience

Configure which identities are allowed to access the client in the resource registry. You can then also further filter them via parameter in the authentication request.

In the Resource Registry

As this is already the case for SAML, you can now specify intended audiences for your client in the Form "7. Intended Audience and Expert Settings". Specify either organisationTypes which are allowed or not allowed, or configure individual organisations. You can only use organisations in the Test Federation. Best for testing is using the Demo organisations for which you can create affiliations. In addition, include/exclude the personal identity.

Also check the attributes form. The edu-ID now supports all relevant claims also for OIDC. Mark them as required if you want your client to get them. You see more details about the claims in our attribute specifications. Click on each attribute to check the details (like their format and whether they are released as array or single value).

After all configuration is done, submit the client for approval, wait for the approval to be given and another 2h for the changes to be propagated to the edu-ID OpenID Provider. Afterwards, you can test the login from your client. Note that only identities are shown that you have allowed as intended audiences.

Further filtering in the authentication request

The RFC specifies how a client can request certain identities in the authentication request. Please read section 3.4.2 of the RFC for details. If you strictly follow the specifications, only identities from one of the requested organisations can be selected at login.

Questions and Feedback

Please let us know about any feedback or questions you have by email to eduid-support@switch.ch.

Note that a proper public documentation of the feature is in work. It will be more high-level and less technical as the RFC itself and will be publihed as soon as the feature is also available in production.