Deployment Information for Federation Partners

While the page on how to become a Federation Partner outlines the legal aspects of joining SWITCHaai as a Federation Partner, this page provides an overview on how to install a Shibboleth Service Provider and configure one or more Resources for SWITCHaai.

Technical steps

  1. Shibboleth Demo (optional)
    If you are not yet familiar with the principle of federated identity management, you may have a look at our AAI demo page. This usually helps people who are new to Shibboleth to understand some basics about federated identity management and how Shibboleth works.

  2. Certificate
    In order to participate in SWITCHaai you need a certificate, which can be used for client authentication. SWITCH recommends to use a self-signed certificate. Most X.509 certificates used for web servers support c.ient authentiction and can be used as well.
    For the details, check out the certificate acceptance rules.
    In case of questiions, contact the SWITCHaai Team.

  3. Data protection
    AAI Attributes are the common basis on which two communicating entities are able to share information they know to interpret identically. The resource owner's first and foremost duty regarding attributes is privacy and data protection. For user privacy only request as few attributes as needed.

    For publishers, the attributes 'eduPersonEntitlement' and 'swissEduPersonHomeOrganization' should be sufficient in most cases. The attribute 'eduPersonEntitlement' contains the value 'urn:mace:dir:entitlement:common-lib-terms' for all university members authorized to access licensed content from publishers.

    For other federation partners, if you need a user identifier please request the persistent ID. Attributes often needed to decide whether a person gets educational discount for a shop operator are the attributes 'swissEduPersonHomeOrganizationType' and 'eduPersonAffiliation'. If you have any questions regarding attributes or you think you require more attributes, please contact us.

  4. Installing Shibboleth
    We provide deployment guides to install Shibboleth for several platforms (Windows, Linux, Mac OS X). These guides can be found on the Service Provider Deployment page.
    They describe how to configure Shibboleth for the production SWITCHaai federation.

  5. Register Resource
    Finally, the Resource has to be registered with the Resource Registry. This is initiated by SWITCH and you will receive further instructions on how to accomplish this. First, you should send an email to aai@switch.ch containing the following information:

    Organization Details
    • Organization name
    • Link to official Homepage
    • Short description of organization
    • Organization name and URL
    Resource Details
    • Name of resource
    • Short description of resource
    • Shibboleth providerID/entityID (standard convention https://host.name.com/shibboleth)
    Technical contact person information
    • Given name and surname
    • Postal address
    • Telephone number
    • Email address

    In order to register with the Resource Registry, the technical contact person will receive the credentials for an AAI account on our Virtual Home Organization together with an invitation to complete the Resource Description.
    Once the Resource is registered by this technical contact person and approved by the sponsoring Federation Member, the published metadata will contain a description of your Resource. Thus, all SWITCHaai Identity Providers will know the Service Provider as soon as they refresh their metadata the next time. This usually happens once a day but can be enforced manually.

Support

If you have any questions or problems, feel free to contact us by phone +41 44 268 1505 or email (aai@switch.ch).