Architecture and basic concepts

The SWITCH edu-ID implements an identity federation. It puropse is to promote cooperation between universities in Switzerland and with university-related partners. Switch edu-ID provides a digital identity to university members (students, staff and teachers) and also to users without university affiliation like university guests, alumni, further education students, private library users, or event participants. With a Switch edu-ID identity a user may access any service in the federation, under the condtion that the service provider allows the use by defining appropriate access rules.

eduid-federation-big-picture

Join the federation

New participants in the federation are admitted by the Swiss universities and by Switch. The main criterion for admission is the creation of added value for the Swiss university community.

  • Service providers can join the federation to offer their services to students and employees of universities as well as to private individuals without university affiliation.
    To join as service provider follow these steps.
  • Universities and other educational organizations can join the edu-ID federation to provide their members with technical access to the services in the federation. Joining as an organization requires a technical integration on the level of the identity management. Depending on the type of organization, costs may be incurred.
    It should be noted that by joining the federation, the organization members receive an edu-ID account. This does not automatically include the authorization to use all services in the federation. Service providers independently determine which persons are authorized to use the service. In particular, it may be necessary to sign a bilateral usage agreement with a service provider.
    To join as organization with members follow these steps.

Identity and Affiliations

In edu-ID, a user manages her own private edu-ID account. When a user becomes member of a university, an affiliation is added to the edu-ID account. A user may have more than one current affiliations, or none at all. The personal part of an edu-ID account ist persistent, and remains under the control of its owner for the entire lifetime.

identity-schema

In the example above, the user has two current university affiliations which are associated to the personal part of the edu-ID identity.

Technical Setup

The SWITCH edu-ID user directory contains the user-managed attributes, as well as affiliation attributes that indicate with which universities the user is currently affiliated with. When a new user is registered at a university, an organisational account is created and linked to the edu-ID. The organisational identity management (IdM) system notifies the edu-ID service, which updates the affiliation attributes. The notification and attribute exchange between organisation and edu-ID either uses provisioning via Affiliations API (or push interface), or the Attribute Provider (or pull interface). Likewise, the affiliations are updated when a user leaves a university.

To access a service provider, a user authenticates at the central SWITCH edu-ID IdP. The user managed attributes and the affiliation attributes from all organisations where the user is currently affiliated with are collected. The attributes are then filtered and reduced to the needs of the service and the set of permitted attributes as defined by the university. Finally, with the user’s consent, the attributes are delivered to the service.

A user who has left a university and who has no further current affiliation with another university keeps the personal, user managed part of a SWITCH edu-ID identity. Although many services will require users with a current affiliation with a university, an increasing number of services will be open to people who are neither student nor university staff.

Federation Architecture: Hybrid

According to the federation architecture definitions edu-ID implements a hybrid architecture.

hybrid-architecture

SWITCH edu-ID is a full-mesh architecture

  • from the point of view of services in classic mode, since the edu-ID idp presents itself to them as an IdP of the organization that was chosen by the user in the discovery service.
  • towards interfederation. Each organisation hosted on edu-ID is reflected as individual IdP in the interfederation.

SWITCH edu-ID is a hub-and-spoke architecture

  • from the point of view of services in extended mode, since they get attribute assertions from a single IdP.
  • for users, because in any case they only see the same edu-ID login window.
  • for organizations who synchronize affiliation data to one central edu-ID service.