Technical accounts
A technical account is a SWITCH edu-ID account used primarily for testing, debugging or monitoring purposes. Once created, technical accounts can be managed like normal edu-ID user accounts. The differences to normal accounts are:
- they should not represent real persons
- they are owned by an organisation and are created by administrators of the organisation
- their identifier attribute values (swissEduPersonUniqueID, swissEduID) start with '0000'
- they have an eduPersonEntitlement value of the form
https://eduid.ch/spec/technical-account/#homeOrgName
where homeOrgName represents the scope of the home organisation responsible for the account according to its swissEduPersonHomeOrganisation value. Examples: https://eduid.ch/spec/technical-account/#ethz.ch https://eduid.ch/spec/technical-account/#unil.ch
This attribute is released to every service, even if this attribute is not requested. This ensures that services know that this is a technical account even if they don't process the swissEduPersonHomeOrganisation attribute.
Please note that the entitlement value is automatically released for the personal part of a technical account only. If a technical account is linked with an organisational affiliation and if this affiliation then is used to access a service, the entitlement is not added to the set of available attributes. If the entitlement is required in the affiliation it has to be provisioned by the organization via the affiliation update mechanism. - the administrators and the organisation owning the technical account are responsible and liable for the technical account's use
- the duplicate prevention processes are disabled for technical accounts. Technical accounts are never automatically merged.
Please also note that technical edu-ID accounts:
- must always have a primary e-mail address for which e-mail messages are read. This ensures that the owners of a technical account can be contacted
- consist primarily of a private edu-ID account. If one links organisation affiliations/identities to a technical account, the organisations whose affiliation was linked is also fully responsible for the use of this linked affiliation/identity
- must only be used to access services whose administrators have in advance been informed about the existence of this technical account
- are reviewed twice a year by the home organisation administrators of the organisation owning them
Managing technical accounts
Technical accounts can exclusively be created by organisation administrators of a SWITCHaai member organisation. Most function and features can be managed either via the web interface or via the Users API:
- The web interface is available on the edu-ID Organisation Administration Interface.
- The Users API allows to programmatically manage technical accounts.
Protecting technical accounts
We recommend to use Two-Step Login with an authenticator app for technical accounts.
It's easy to handle multiple accounts in an authenticator app. Give a descriptive name to the corresponding profile in the app before adding the next profile/account.
Restricting technical accounts
Read only accounts
Organisation administrators can configure technical accounts so they can no longer be modified by somebody who has credentials for this account. Such read-only accounts can be used to access services but their user data cannot be modified via the edu-ID account management.
Restrict permitted service providers
Organisation administrators can restrict acces of technical accounts to a set of permitted service providers. To restrict the access, a list of entity-IDs of the permitted services is to be defined.