Managing affiliations
In order to integrate edu-ID with an organization affiliations (identified by the organizational unique identifier) and their associated attributes have to be synchronized with the user's edu-ID identites.
When a user accesses a service provider, the edu-ID IdP must be able to deliver up-to-date organizational attribute information for that user. Therefore an organization synchronizes the complete set of orgnizational attributes to edu-ID via the push or pull method.
Updating the Affiliation Status of Organization Members
The edu-ID service supports the Push Method via SCIM API or the Pull Method via AP API to synchronize the affiliations of current members affiliations database at edu-ID.
Usually, an organizaition uses either push or pull. It is however possible to combine the two methods. This is particularly useful if an organization wants to register students with edu-ID based registration, and staff with mail-based linking. In such a scenario, the following applies:
- creation of an affiliation
- the student registers with her edu-ID account. The edu-ID identifier is known to the university. If the student is admitted, an affiliation is created by the university via affiliation API (Push)
- the staff member links the edu-ID account using mail-based linking in eduid.ch. The affiliation is created by eduid.ch via AP-API (Pull)
- update/mutation of an affiliation: usually via Pull only.
- deletion of an affiliation because the person is no logner member of the university: usually via Pull only.
Organization pushes Affiliations to edu-ID
An organisation instantly sends attribute changes and status updates of an individual member to edu-ID.
This method can be combined with all types of linking services except the email-based linking.
Pull with hosted Attribute Provider
The organization provides a list of all its members by allowing read-only access to its directory. An affiliation is created immediately when a user adds an organizational email address to her edu-ID. The Attribute Provider is hosted by SWITCH. It regularly polls the organization’s directory and updates or deletes affiliations accordingly. The attribute aggregator currently polls for updates once per day.
This method can be combined with all types of linking services including the email-based linking.
Pull with Organizational Attribute Provider
The organization provides a list of all its current affiliations via the attribute provider interface. The edu-ID attribute aggregator regularly polls the organization’s attribute provider for affiliation information and status updates of their members. The attribute aggregator currently polls for updates once per day.
This method can be combined with all types of linking services including the email-based linking.
Special Case: Attribute Pull via SAML for non-migrated Organizations
Users can create edu-ID identities and link them to the organizational AAI account before an organization as a whole integrates edu-ID. Affiliations of these users are updated on a daily basis via SAML attribute queries on the organizational AAI IdP.
Comparison
Method | Pros | Cons |
---|---|---|
Organization pushes attributes |
|
|
edu-ID pulls attributes at hosted attribute provider |
|
|
edu-ID pulls attributes at organizational attribute provider |
|
Typically, an organization decides to implement either push or pull. In some cases, an organization may want to combine the advantages of the two methods. It is possible - and sometimes preferable - to implement the push method to create an affiliation, whereas the affiliation update and deletion take place via pull using the AP-API.
IdM Processes and Update Methods
The affiliation update are designed to cover the following identity management processes:
IdM Process |
Supported Protocols Organization → edu-ID push |
Supported Protocols edu-ID ← Organization pull |
Onboarding | SCIM API: POST request | AP-API: a member appears in list of affiliations, or a member is added by email address |
Attribute updates | SCIM API: PUT request | AP-API: attbutes have changed in list of affiliations |
Offboarding | SCIM API: DELETE request | AP-API: a member diappears from list of affiliations |
Blocking / unblocking | PUT: set swissEduIDAffiliationStatus to current or suspended | an affiliation is manually (un)blocked in the administration portal |
Protocol descriptions:
- SCIM (Affiliation) API: a REST-API based on the SCIM specification to update affiliations, provided by edu-ID
- AP-API: the organization provides access to user attributes via a simple http-based Attribute Provider API.
- administration portal: a web application where an organization can manage current affiliations.
In addition to the AP-API, the edu-ID service also provides a SAML interface in the pull-mode. In this case, the organization provides a SAML-IdP that responds to attribute requests. This interface is available on request for special purposes.