Affiliation Chooser

An edu-ID identity always consists of the personal part of the identity, which is managed and controlled by the user.

If a user is member of a university, the university adds an affiliation. If the person is also member of another university or organization, more affiliations can be added. The person may end up with the example below, were she has two affiliations from two universities in addition to the personal part of the identity.

affiliation-model

Example of an identity with two currrent affiliations.

 

Most services only support the classic edu-ID attribute model. Such services can only interpret one affiliation at a time. If a user who wants to access a classic service has more than one current affiliation, the affiliation chooser is automatically activated.

 

affchooser-allidentities

 

The affiliation chooser presents the a choice of affiliations the service is compatible with. The choice of affiliations may also include the personal part of the edu-ID identity which can be interpreted by a service like a common classic affiliation.

After the user has chosen an affilation (ZHAW in the example above), the IdP generates the related attribute assertion and sends it to the service.

 

affiliationchooser

Example of the affilation chooser user interface with two current affiliations.

 

In many cases a user will not see the affiliation chooser. The IdP collects as much contextual information as possible to make the correct affiliation choice on behalf of the user, or to reduce the number of options to choose from. The following hints are used by the IdP:

  • The user's choice of an organization in the discovery service
  • The SP configuration "intended audience"

The affiliation chooser is shown after authentication if all following conditions apply:

  1. Organisation of user has adopted edu-ID. Only then users can log in on edu-ID using organisation identity.
  2. More than one identity could be used to access service, E.g. private identity and ZHAW identity
  3. User chose “SWITCH edu-ID” on Discovery Service/WAYF. If an organisation (e.g. ZHAW) is choosen, affiliation chooser will be skipped unless user has multiple ZHAW identities

Affiliation Chooser Example Scenarios

SP requires an organizational affiliation (most typical case)

In this most typical case the user has one organizational affiliation. The service is configured to require organizational affiliations (members only configuration). In this case, the affiliation chooser is not displayed because the private part of the identity is not eligible to access the service.

affchooser-oneaffiliation

SP requires one affiliation - User has 2 affiliations

In this case the user has more than one organizational affiliation. The service is configured to require organizational affiliations (members only configuration). The user chooses the affiliation to be used for the service.

affchooser-twoaffiliations

All users can access the SP

In this case the service is configured to accept private users without affiliation as well as those with organizational affiliations (all users configuration). In this case, the user chooses the affiliation to be used for the service - either a current affiliation or the private part of the identity.

affchooser-allidentities

SP requires one affiliation - user has no affiliation

The service is configured to require organizational affiliations (members only configuration) but the user has no affiliation. An error message is displayed and the user can't proceed to the service.

affchooser-noaffiliation

SP requires a simple, private edu-ID identity

Here service is configured to get the personal part of the identity (classic edu-ID only configuration). No matter how many affiliations the user has, the affiliation chooser is never displayed.

affchooser-privateidentity

The SP supports the extended attribute model

In this case the SP supports the extended attribute model. Such a service is able to interpret and process the personal part of edu-ID identities and 0, 1 or more current affiliations (extended model configuration). For extended model services, the affiliation chooser is never displayed.

affchooser-extendedmodel

 

 

 

...