Getting Started: Setting up an edu-ID Service

1. Contractual Preparation

Each application that is included in the federation must prove that it offers added value to Swiss universities and that it fulfills the technical and legal conditions of the Switch edu-ID federation.

New application can be added to the federation if the service is operated by a home organisation or a federation partner.

If none of the above applies your organization must become a "federation partner basic" or "federation partner plus".
https://www.switch.ch/aai/join/partners/

During the subsequent registration of an application in the resource registry, the home organization or federation partner on whose behalf the service is being registered must be specified.

2. Protocol Choice and Prerequisites

SWITCH edu-ID is a service offering in the SWITCHaai federation. Currently edu-ID supports the SAML and the OpenID Connect (OIDC) protocol.

SAML OpenID Connect (OIDC)

The instructions to set up a service for SAML can be found here:

Setting up a SAML Service in compliance with the Federation Technology Profiles

OpenID Connect support in edu-ID service is currently limited compared to SAML, but will be continuously extended in the future:

Setting up an OIDC Service

3. Attribute Model Choice

SWITCH edu-ID offers a very comprehensive data model in different variants.

  Description SAML OIDC
Classic Attribute Model

To access a service, a user chooses the home organization in the discovery service ("were are you from?"). The service receives an attribute assertion from the selected home organization. The assertion is compatible with traditional SWITCHaai assertions.

Only members of the selcted home organization can authenticate and reach the service.

configure intended audience without private identities (not supported)
edu-ID only

To access a service, the user directly authenticates (without choosing a home organization). The service receives an attribute assertion of the user's private identity, independent of any organizational affiliation.
Optionally, the service can determine organizational roles and email addresses by evaluating swissEduIDLinked* attributes.

All users with an edu-ID account can authenticate to the service. Access restrictions have to be implemented in the service.

configure intended audience: private identity require scopes profile, email, swissEduIDBase or swissEduIDExtended
Extended Attribute Model Like edu-ID only. Additional organizational affiliation attributes are fetched via affiliation API. Get additional attributes via affiliation API with read-only permissions.

4. Advanced Service Configuration

Options to enhance the service quality, usability or security