Linking Methods

There are multiple approaches how an organizational user identity can be linked to the (personal part of the) edu-ID identity. For an organization that has integrated edu-ID - and is no longer operating its own IdP - it is required to establish a link. 

These linking methods are currently supported by SWITCH edu-ID

Save

Save

Save

Save

Save

Save

Save

Save

Save

Organizational Linking

The link for a user is established if:

  • the organization "knows" the edu-ID identifier of the user (only used to create a link)
  • edu-ID "knows" the organizational-unique-Identifier of the user

After linking the organizational and the edu-ID identity, the edu-ID service creates a "current" organizational affiliation. The attributes in the current affiliation and the organizational identity are kept in sync - with the organization being the provider. SWITCH edu-ID offers multiple methods to manage and synchronize affiliations.

 

linking-model

Organizational and edu-ID identity after linking

 

Save

Save

Save

Save

Save

Save

Save

Save

Save

 

Organizational Registration Form

With this approach, the organization offers a public registration web form. The basic idea is to make sure users have an edu-ID before they register at the university.

On a public information page, the user is asked to proceed to an edu-ID-protected registration page hosted by the organization. Users gains access to that page by authenticating with their edu-ID. If the user does not already have an edu-ID, it can be created on the fly.

As a result the user is redirected to the registration page and the organization gets the user's edu-ID identifier which can be stored in the local directory.

Later, if/when the user has been admitted, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.

Check these details about the registration page.

 

Organizational Linking Service with SP

In this approach, the organization operates a linking service, which is a web page. The basic idea is to have a user authenticate at the organization, and then also at edu-ID. If both authentications succeed the link can be established.

The user is asked to go to a local protected web page hosted by the organization. The user accesses that page by authenticating against the local directory. If the edu-ID identifier is known for the user, the link has already been established and the user can stop. Otherwise, the user is informed that the link is missing and that it should be established by authenticating with the edu-ID. Users without an edu-ID can create one on the fly.

As a result the organization gets the user's edu-ID identifier which can be stored in the local directory. To complete the bidirectional link, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.

The detailed process of an organizational linking service is described here.

 

Organizational Linking Service with Token

This linking approach is similar to the organizational linking service above. The main difference is that the web page (edu-ID authn) that requires authentication with edu-ID is hosted by SWITCH and not by the organization.

This approach may be preferable for organizations that don't want to operate a Sibboleth SP just for the linking service. The disadvantage compared to a proper SP is that the edu-ID login page can't be customized, and that the set of returned attributes is limited to the edu-ID identifier and the private email address.

The detailed process how an organization can obtain the edu-ID identifier in this scenario is described here.

eMail-based Linking

Linking with organizational eMail address

SWITCH edu-ID has a built-in linking service that can be used by organization members, who have an organizational email address.

With this method, a user navigates to the edu-ID account page eduid.ch and adds the organizational email address. If an organization has been configured for this linking method, their email addresses are recognized by matching a pattern like "*@university.ch". The email address is used to fetch the according user record in the organizational directory, and a new current affiliation is created. The email address is only used to create an initial affiliation. For all subsequent update processes another unique identifier is used.

With this method, the organizational identity is unidirectionally linked to the edu-ID identity. The organization does not have to implement a linking service.

To synchronize attributes, this linking method is compatible with pull with organizational attribute provider and pull with hosted attributed provider.

Details of the eMail-based linking method are described here.

eduid-based-linking2

 

Linking with private or arbitrary eMail address

With this method, a user navigates to the edu-ID account eduid.ch and klicks the "add organizational identity" button in the Organizations tab. After selecting an organization, the edu-ID service queries the directory of the selected organization for all of the email addresses that the user has registered in her edu-ID account.

  • if a matching record was found in the organizational directory its attributes are used to create a new current affiliation. The email address is only used to create an initial affiliation. For all subsequent update processes another unique identifier is used.
  • if no matching record was found an error message is displayed, and the user has the option to add an eMail address that is known to the organization.

With this method, the organizational identity is unidirectionally linked to the edu-ID identity. The organization does not have to implement a linking service.

To synchronize attributes, this linking method is compatible with pull with organizational attribute provider and pull with hosted attributed provider.

Legacy linking methods

Manual Linking via mail message

In the manual linking approach, an email containing a user's edu-ID identifier is sent to HR, who has to manually add it to the organizational directory. It is divided into the following steps:

  1. The user is asked to visit a linking web-page, hosted by SWITCH. The invitations may be sent by email, by printed letter or any other means.
  2. To access the linking page a user needs to log in with his/her edu-ID. An edu-ID may have to be created on the fly, if the user does not already have one.
  3. The linking page contains some organization-specific explanation text - plus one button.
  4. By clicking on the button, an email is sent to a pre-defined email address containing the name and the edu-ID identifier of the user. Typically, the email recipient is a service desk at the organization's HR departement.
  5. The HR department checks incoming emails for their legitimacy.
  6. If the emal is legit, HR manually copies the user's edu-ID identifier to the user record in the oganizational directory.
  7. To complete the bidirectional link, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.

Advantages of this approach: 

  • Requires the least technical extensions

Drawbacks of this approach:

  • Involves manual interactions and consequently does not scale well
  • Prone to human errors
  • Registration page is difficult to protect. It could be misused to spam/DOS the email recipient

The registration page can be protected with an alphanumeric PIN code. HR should make sure that the PIN is only disclosed to persons who are supposed to use the registration service. To protect the registration page please contact us.

Linking with legacy AAI-IdP

This linking can only be used by members of organizations without edu-ID integration.

With this method, a user navigates to the edu-ID account management eduid.ch, and klicks the 'Add an organizational identity'. The user is then redirected to the organizational AAI IdP for authentication. After sucessful authentication, the respective affiliation is added to the user's account.

Note that this method can only be used by organizations who run their own IdP in the federation. Organizations who have integrated edu-ID and hence migrated their IdP into edu-ID can't use this linking method.

 

Linking methods compared

  Implementation and operation possible  affiliation creation methods possible  affiliation update  methods linking flow for users
Organizational Registration Page by university push push or pull User initiates linking on a linking service (a public or intranet web page) hosted by the organization.
Organizational Linking Service
(with SP or Token)

by university

push

push or pull
Linking with organizational eMail address

by SWITCH

pull

pull (with organizational or  hosted AP) User initiates linking from edu-ID account management by adding an organizational email-address to her account.
Linking with private or arbitrary eMail address

by SWITCH

pull

User adds an email-address to her account that is known to the organization. User initiates linking by selecting an organization from a list.
Linking with legacy AAI-IdP by SWITCH pull via SAML User initiates linking from edu-ID account management (add organizational identity), selects the organization from the dropdown list and authenticates with organizational AAI-IdP.
Manual Linking via mail message

by SWITCH

push

push or pull  

 

Save