Essential Integration Approaches
An Organisation that integrates SWITCH edu-ID needs to make sure that each member (student, staff, further education student) has an edu-ID identity that it is linked to their local, organisational identity. A linked edu-ID account has at least one organizational affiliation associated to it.
edu-ID supports a large variety of methods to link accounts and interfaces to manage affiliations and synchronize attributes which can be combined in many different ways. Here are the two most common combinations of linking and syncing: eMail-based linking with pulling affiliations and Organizational linking with pushing affiliations.
eMail-based linking and Affiliation Pull
- edu-ID operates eMail-based linking as part of my edu-ID account management (https://eduid.ch).
- After a user has added an organizational eMail address, the linking process is started by pulling an affiliation.
- The attribute aggregator has read-only access to the organizational directory.
- The attribute aggregator searches the organizational directory for a matching user entry.
- If a valid user was found, an affiliation is created.
- Subsequently, in daily update rounds, affiliations are compared with the directory, and updated or removed as needed.
Advantages of this approach
- The connector between the university directory and edu-ID (the Attibute Provider) can either be operated by the university or SWITCH
- If SWITCH operates the Attribute Provider (as shown in the diagram above), the organization only has to provide read-only access to the directory. No additional software has to be developed or operated by the university.
- Simple to set-up for university.
- Simple to use for users.
Prerequisite: Organization membership of a person is determined by the domain of the eMail address. All organization members need to have an organizational eMail. The eMail-based linking method supports multiple eMail domains, but the number should not exceed 10 eMail domains for one orgnization.
Organizational linking and Affiliation Push
- The organization develops and operates an Organizational Linking Service.
- The purpose of the linking service is to make sure that a member has an edu-ID account, and that the edu-ID identifier is known to the identity management system (IdM).
- After a user has completed the linking process, the edu-ID identifier is transferred to the IdM.
- The IdM has rules in place to decide if and when an affiliation should be added to a member's edu-ID account.
- The IdM has a connector to create, update and delete affiliations via the edu-ID affiliation API.
Advantages of this approach
- All affiliation updates by the IdM are immediately effective.
- The approach supports student registration processes with edu-ID.
- Gives an organization with IdM most control over affiliations.