Managing affiliations

In order to integrate edu-ID with an organization affiliations (identified by the organizational unique identifier) and their associated attributes have to be synchronized with the user's edu-ID identites.

 

When a user accesses a service provider, the edu-ID IdP must be able to deliver up-to-date organizational attribute information for that user. Therefore an organization synchronizes the complete set of orgnizational attributes to edu-ID via the push or pull method.

Updating the Affiliation Status of Organization Members

The edu-ID service supports the Push Method via SCIM API or the Pull Method via AP API to synchronize the affiliations of current members affiliations database at edu-ID.

Usually, an organizaition uses either push or pull. It is however possible to combine the two methods. This is particularly useful if an organization wants to register students with edu-ID based registration, and staff with mail-based linking. In such a scenario, the following applies:

  • creation of an affiliation
    • the student registers with her edu-ID account. The edu-ID identifier is known to the university. If the student is admitted, an affiliation is created by the university via affiliation API (Push)
    • the staff member links the edu-ID account using mail-based linking in eduid.ch. The affiliation is created by eduid.ch via AP-API (Pull)
  • update/mutation of an affiliation: usually via Pull only.
  • deletion of an affiliation because the person is no logner member of the university: usually via Pull only.

Organization pushes Affiliations to edu-ID

An organisation instantly sends attribute changes and status updates of an individual member to edu-ID. 

This method can be combined with all types of linking services except the email-based linking.

Affiliation API

Pull with hosted Attribute Provider

The organization provides a list of all its members by allowing read-only access to its directory. An affiliation is created immediately when a user adds an organizational email address to her edu-ID. The Attribute Provider is hosted by SWITCH. It regularly polls the organization’s directory and updates or deletes affiliations accordingly. The attribute aggregator currently polls for updates once per day.

This method can be combined with all types of linking services including the email-based linking.

Attribute Provider API

Pull with Organizational Attribute Provider

The organization provides a list of all its current affiliations via the attribute provider interface. The edu-ID attribute aggregator regularly polls the organization’s attribute provider for affiliation information and status updates of their members. The attribute aggregator currently polls for updates once per day.

This method can be combined with all types of linking services including the email-based linking.

Attribute Provider API

Special Case: Attribute Pull via SAML for non-migrated Organizations

Users can create edu-ID identities and link them to the organizational AAI account before an organization as a whole integrates edu-ID. Affiliations of these users are updated on a daily basis via SAML attribute queries on the organizational AAI IdP.

Comparison

Method Pros Cons
Organization pushes attributes
  • Attribute changes at the organization take immediate effect at edu-ID
  • Efficient protocol in terms of required bandwidth and processing power
  • Difficult to implement for organizations without centralized IdM that manage processes for user account creation, update, deletion and temporary blocking
edu-ID pulls attributes at hosted attribute provider
  • Makes edu-id integration possible at an organization without technical developments (SAAS)
  • Affiliations are created immediately

 

  • Attribute updates and affiliation deletion at the organization take up to 24h to be reflected in the edu-ID

edu-ID pulls attributes at organizational attribute provider

  • Easier to implement for organizations without centralized IdM processes.

Typically, an organization decides to implement either push or pull. In some cases, an organization may want to combine the advantages of the two methods. It is possible - and sometimes preferable - to implement the push method to create an affiliation, whereas the affiliation update and deletion take place via pull using the AP-API.

IdM Processes and Update Methods

The affiliation update are designed to cover the following identity management processes:

  • Onboarding: Create a new affiliation for a user who already has an edu-ID identity
  • Offboarding: A user leaves the organization. Archive the current affilition and add it to the list of former affiliations
  • Attribute updates: Some attributes of a user were changed at the organization. Update the current affiliation accordingly
  • User blocking/unblocking: The organization temporarily disables a user's current affiliation

 

IdM Process
Supported Protocols
Organization → edu-ID push
Supported Protocols
edu-ID ← Organization pull
Onboarding SCIM API: POST request AP-API: a member appears in list of affiliations, or a member is added by email address
Attribute updates SCIM API: PUT request AP-API: attbutes have changed in list of affiliations
Offboarding SCIM API: DELETE request AP-API: a member diappears from list of affiliations
Blocking / unblocking PUT: set swissEduIDAffiliationStatus to current or suspended an affiliation is manually (un)blocked in the administration portal

 Protocol descriptions:

  • SCIM (Affiliation) API: a REST-API based on the SCIM specification to update affiliations, provided by edu-ID
  • AP-API: the organization provides access to user attributes via a simple http-based Attribute Provider API.
  • administration portal: a web application where an organization can manage current affiliations.

In addition to the AP-API, the edu-ID service also provides a SAML interface in the pull-mode. In this case, the organization provides a SAML-IdP that responds to attribute requests. This interface is available on request for special purposes.