Organizational Registration Service

This is a more detailed description of the organizational registration service.

To set up an organizational registration service an organization basically needs to implement the two web pages

  • welcome
  • registration

Page welcome

  • This page is usually not protected and accessible for the public.
  • The user is asked to initiate the linking process. The basic message is:
    To register at this university you need a SWITCH edu-ID account. By klicking 'continue' you will be asked to log in with your SWITCH edu-ID. If you don't already have a SWITCH edu-ID you can create one one the fly.
    'Continue': link to registration.

After clicking continue, the following happens from the user's perspective. The user is asked to log in with the edu-ID. If the user has no edu-ID he or she can create one on the fly. Finally the user will be asked permission to send the personal edu-ID data back to the page registration. All these processes are handled by the edu-ID service.

Page registration

  • This page is only accessible if the user was able to log in with his or her SWITCH edu-ID account. This can be enforced in various ways:
    • the page is a protected page in a shibboleth service provider. See SWITCHaai SP set-up and configuration guide.
    • the page is a protected ADFS resource and configured for SAML.
    • the page is a protected resource using other SAML implementations.
  • Since the user is identified by edu-ID, the page has access to the assertion of a valid shibboleth session.
  • Store the edu-ID identifier (swissEduID) that comes with the shibboleth session in the registration application.
  • The user can now continue with the registration by filling in a registration form, uploading an application etc.


  • The registration page should be configured
    • to accept only the personal part of a edu-ID identity.
    • to require the Attribute swissEduID. Send a email to to have the attribute activated by SWITCH staff.
    • to enforce re-authentication for each access (=disable SSO). This is to avoid problems of users sharing the same computer/browser.
  • Typically, the bidirectional linking by creating an affiliation through the affiliation API is done at a later time after the user has completed the admission process at the university.