Getting Started: Setting up an edu-ID Service
1. Contractual Preparation
Each application that is included in the federation must prove that it offers added value to Swiss universities and that it fulfills the technical and legal conditions of the Switch edu-ID federation.
New application can be added to the federation if the service is operated by a home organisation or a federation partner.
If none of the above applies your organization must become a "federation partner basic" or "federation partner plus".
https://www.switch.ch/aai/join/partners/
During the subsequent registration of an application in the resource registry, the home organization or federation partner on whose behalf the service is being registered must be specified.
2. Protocol Choice and Prerequisites
SWITCH edu-ID is a service offering in the SWITCHaai federation. Currently edu-ID supports the SAML and the OpenID Connect (OIDC) protocol.
SAML | OpenID Connect (OIDC) |
---|---|
The instructions to set up a service for SAML can be found here: Setting up a SAML Service in compliance with the Federation Technology Profiles |
OpenID Connect support in edu-ID service is currently limited compared to SAML, but will be continuously extended in the future: |
3. Attribute Model Choice
SWITCH edu-ID offers a very comprehensive data model in different variants.
Description | SAML | OIDC | |
---|---|---|---|
Classic Attribute Model |
To access a service, a user chooses the home organization in the discovery service ("were are you from?"). The service receives an attribute assertion from the selected home organization. The assertion is compatible with traditional SWITCHaai assertions. Only members of the selcted home organization can authenticate and reach the service. |
configure intended audience without private identities | (not supported) |
edu-ID only |
To access a service, the user directly authenticates (without choosing a home organization). The service receives an attribute assertion of the user's private identity, independent of any organizational affiliation. All users with an edu-ID account can authenticate to the service. Access restrictions have to be implemented in the service. |
configure intended audience: private identity | require scopes profile, email, swissEduIDBase or swissEduIDExtended |
Extended Attribute Model | Like edu-ID only. Additional organizational affiliation attributes are fetched via affiliation API. | Get additional attributes via affiliation API with read-only permissions. |
4. Advanced Service Configuration
Options to enhance the service quality, usability or security
- Check the edu-ID design guidelines
- Require 2-Step Login (MFA)
- Receive notifications when user accounts were updated