Affiliation Chooser
An edu-ID identity always consists of the personal part of the identity, the private identity. It is managed and controlled by the user.
If a user is member of a university, the user can add an affiliation (i.e. organisation identity), which is managed by the organisation. If the person is also member of another organization, more affiliations can be added. The person may end up with the example below, were she has two affiliations from two universities in addition to the private identity.
Example of an user with two affiliations.
Most services support the classic edu-ID attribute model. Such services can only interpret one affiliation at a time. If a user with several eligible affiliations wants to access a classic service, the affiliation chooser is automatically activated.
The affiliation chooser presents the a choice of affiliations the service accepts. The choice of affiliations may also include the private identity of the user, which is then interpreted by a service like a common classic affiliation.
After the user has chosen an affiliation (from ZHAW in the example above), the Identity Provider generates an attribute assertion with the affiliation'data and sends it to the service.
Example of the affilation chooser user interface with two affiliations and the private identity
In many cases a user will not see the affiliation chooser. The IdP collects all relevant contextual information to present the correct affiliation choice on behalf of the user, or to reduce the number of options to choose from. The following hints are used by the IdP:
- The user's choice of an organization in the discovery service
- The service's "intended audience" settings from the Resource Registry
The affiliation chooser is shown after authentication if the following conditions apply:
- Organisation of user has adopted edu-ID. Only then users can log in on edu-ID using organisation identity.
- User chooses “Switch edu-ID” on Discovery Service/WAYF. If an organisation (e.g. ZHAW) is choosen, affiliation chooser will be skipped unless user has multiple ZHAW identities
- More than one identity is eligible to access the service. Some services accept affiliations (organisation identities) as well as private identities or a user has several affiliations that are allowed to acess the service.
Affiliation Chooser Example Scenarios
Service requires an affiliation
In this most typical case the user has a single affiliation. The service is configured to require affiliations (members only configuration). The affiliation chooser is not displayed because the private identity is not eligible to access the service.
Service requires an affiliation - User has two affiliations
In this case the user has more than one affiliations. The service is configured to require affiliations (members only configuration). The user chooses the affiliation to be used for the service.
All users can access the service
In this case the service is configured to accept private identities without affiliation as well as users with affiliations (all users configuration). The user chooses the affiliation to be used to access the service - either an affiliation or the private identity.
Note: Services can define a setting in the Resource Registry to make an automatic choice if the user selected "Switch edu-ID" in the WAYF. This then would not show the affiliation chooser. The following options for this setting exist:
Case 1 - Prefer the organisational affiliation
If a user has exactly one affiliation, this one is automatically selected for login with this setting. The private identity is only selected, if the user has no affiliations.
The use case for this setting is a service that should also be accessible by private persons. Persons at an organization who select edu-ID in the WAYF should not be confused with an affiliation chooser; their organisational identity takes precedence and is automatically chosen.
Configure this setting in the Resource Registry > select the service > 7. Intended Audience and Expert Settings > Dropdown "Identity Selection" > Prefer organisation identity.
Case 2 - Prefer the private identity / Disable affiliation chooser
In this case the service supports the classic attribute model. For users who select an organization in the WAYF the according affiliation is selected. For users who select Switch edu-ID in the WAYF, no affiliation chooser is displayed and the private identity is automatically selected. In this case, the affiliation chooser is effectively disabled, and the affiliation choice takes place in the WAYF.
The use case is that some services don't support attribute assertions coming from another IdP than the user was redirected to.
Configure this setting in the Resource Registry > select the service > 7. Intended Audience and Expert Settings > Dropdown "Identity Selection" > "Prefer private identity".
Service requires one affiliation - User has no affiliation
The service requires an affiliation (members only configuration) but the user has no affiliation or not form the required organisation. An error message is then displayed and the user cannot access the service.
Service requires a private identity
In this case the service can be accessed with the private identity only (classic edu-ID only configuration). No matter how many affiliations the user has, the affiliation chooser is never displayed.
Service supports the extended attribute model
In this case the service supports the extended attribute model. Such a service is able to interpret and process the personal part of edu-ID identities and zero, one or more affiliations (extended model configuration). For extended model services, the affiliation chooser is never displayed.
...