IdP Guide
Since the introduction of Switch edu-ID, Switch no longer supports organisations that wish to operate their own institution-specific IdP. A higher education institution may continue to operate its IdP within the federation, but is responsible for running the IdP entirely on its own. Depending on the circumstances, Switch may either be unable to provide any specific support for an organisation’s IdP (for example, if the necessary expertise is lacking) or may provide such support in return for financial compensation (if the expertise is available).
Requirements to operate an Identity Provider in Switch edu-ID federation
- IdP must support standard SAML2 WebSSO protocol via HTTP POST
- Support for processing SAML2 metadata
- Switch edu-ID federation and interfederation come in separate files of several MBs dozen MBs in size
- Metadata files contain many EntityDescriptors
- Metadata files should be updated automatically every hour and XML sgnature should be checked
- Support for national and international SAML attributes
- Support for all the Switch edu-ID and Interfederation Core attributes
- The transientID NameID Format must be supported, ideally also the deprecated persistentID
- Ensure that services requesting the persistentId (either as NameID or as attribute eduPersonTargetedId) get the same values as with the current Identity Provider
- Including support for the new attributes subject-id/pairwise-id. The targeted pairwise-id attribute requires a database.
- To support some features of Switch edu-ID it is recommended to also support the attribute swissEduIDUniqueID, which is the swissEduPersonUniqueID attribute the from basic edu-ID identity
- Support for scalable attribute release
- Ideally according to attribute-filter.xml, which is generated by Resource Registry.
- Filter should be updated automatically every hour
- There are approx. 1800 Switch edu-ID SAML SPs and 3800 eduGAIN SPs
- Recommended to support attribute release based on for REFEDS Research & Scholarship and GÉANT Data Protection Code of Conduct entity categories.
- Support for SAML Authenticatoin Context
- In particular the REFEDS MFA profile: https://refeds.org/profile/mfa must be set for some services
- An increasing number of universities requires REFEDS MFA for login on their services
- User consent
- Optional but highly recommended from a legal perspective, depending on the organization
- OpenID Connect support for organisation identities including the attribut/claim set supported for edu-ID and with MFA support