Services who use Switch edu-ID for authentication are set up and configured as any other service in the SWITCH aai federation. Follow the guidelines for OpenID Connect and SAML services.
The "intended audience" setting for an SP in the resource registry allows to include or exclude users of an entire organization on the level of an IdP. With SWITCHaai this was an intuitive setting. With SWITCH edu-ID this has become more tricky because an edu-ID account may contain one or more organizational aai accounts. The examples below should illustrate a few typical inclusion/exclusion scenarios.
Note that these intended audience settings are rather coarse access rules. If a user gets through to an SP because he or she belongs to the intended audience, the SP may still refuse access based on more fine grained rules evaluating user attributes.
This case especially applies to existing services already supporting SWITCHaai. Such services usually don't need to change their configuration to support edu-ID.
In this configuration scenario, in order to get access to an SP a user has to be a member of an organization. It is irrelevant whether the organization has already integrated the edu-ID (edu-ID adopted) or not (SWITCHaai).
The following users are permitted to access the service:
The following users are excluded from the service:
Typical examples for SPs with this intended audience:
Setting in the resource registry:
In this configuration scenario only users get access to an SP who have an edu-ID account. Regardless of whether the user has an affiliation with an organization or not - the SP recieves the attributes of the personal part of an edu-ID identity.
The following users are permitted to access the service:
The following users are kind-of excluded from the service:
Typical examples for SPs with this intended audience:
Setting in the resource registry:
Since the selection of an IdP for the user is not required for login, the discovery service (WAYF) should be deactivated. This can be done with the following setting in the shibboleth2.xml configuration file in the <SSO> Element:
<SSO entityID="https://eduid.ch/idp/shibboleth">
SAML2
</SSO>
For edu-ID only services it is recommended to use one of the official edu-ID login button designs.
Optionally, an SP can get limited affiliation information by requiring some of the following attributes:
To use one or more of the above attributes, you need to add them to the configuration file attribute-map.xml of your Shibboleth SP:
<!-- SWITCH edu-ID Linked Affiliation -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1029" id="swissEduIDLinkedAffiliation"/>
<!-- SWITCH edu-ID Linked Affiliation E-Mail -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1031" id="swissEduIDLinkedAffiliationMail"/>
<!-- SWITCH edu-ID Linked Affiliation Unique ID -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1032" id="swissEduIDLinkedAffiliationUniqueID"/>
Furthermore, you need to notify the SWITCH edu-ID Team at eduid-support@switch.ch to get these attributes.
The extended attribute model consists of SWITCHaai attributes that contain extensive information about linked affiliations.
An extended model service is configured the same as with the edu-ID only configuration. The SP gets additional affiliation information via the backchannel by accessing the affiliation API.
In this configuration configuration scenario users are accepted as well as users who are members of an organization.
Typical examples for SPs with this intended audience:
Setting in the resource registry: