Processes to link members in the adoption phase
An organisation that adops SWITCH edu-ID needs to provide mechanisms to link local identities of new members (staff, students etc.) to edu-ID identities. Existing members of an organisation usually are treated differently because they already have an local organizational account and in most cases they also have a SWITCHaai account.
In the scenarios below Day X denotes the flag day, when the edu-ID IdP takes over the organisational SWITCHaai IdP and henceforth the organisation members log-in with their edu-ID to access to services. After Day X, the organisation does not operate a Shibboleth IdP anymore.
The sections below describe different approaches to equip organisation members with an edu-ID that is linked to the local organisational account.
Link current members before day X
- Users are asked to go to their edu-ID account. If they don't already have an edu-ID, they should create an account first.
- using the aai account linking service users link their aai account to the edu-ID
- at Day X edu-ID sends a list of all aai-uniqueID with their associated edu-ID identifiers to the organisation
- the organisation imports the list and associates the edu-ID identifier of each member to the local user identities
Remarks:
- The organisation members are invited to become active and create and link their identities. Not all users may follow these instructions.
- edu-ID can send an organisation a list of users who have an edu-ID organisational link. Based on that list, the organisation can determine which members don't have a linked account, and resend the account linking invitation.
Link current members after day X
- edu-ID sends the organisation a list of users who already have an edu-ID organisational link
- The organisation imports the list and associates the edu-ID identifier of each member to the local user identities
- All members who are not in the imported list will lose their federation account on Day X. They are invited to use a linking service where they can create an edu-ID and link it to the local organisational identity.
Remarks:
- With this approach it is likely, that not all organisation members do have a linked edu-ID. Without federation account they will not have access to services in the federation.
Comparison
Approach | Advantages |
Link before Day X |
|
Link after Day X |
|
Note that different linking approaches can be combined. For example, an organization could try to have as many members as possible create and link their edu-ID on their own (approach "link before Day X"). For all members who do not have a linked edu-ID on Day X, they create one later (approach "link after Day X").