On-/Offboarding of Users

This page describes how an organisation that has decided to adopt SWITCH edu-ID can onboard and offboard users, e.g. register new staff members or enroll new students at the organisation.
There are different options how to onboard and offboard users with an edu-ID. 

Onboardin options can also be combined (e.g., for different groups of users as staff and students). (see also https://projects.switch.ch/eduid/adoption/link-new-members/).


Onboarding includes that an organisation creates a New Affiliation for a user.

A: Linking at Registration (standard process)

User creates an edu-ID account first and then registers as staff member or enrols as students at organisation, which then sets the affiliation.


B: Linking at Admission

When the organisation creates a user's local organisational account the user links it to the edu-ID account.

C: Linking after Admission

User links the local organisational account to the edu-ID account (days, weeks, months) after the admission at the organisation. The user has a federated identity with affiliation only after having linked the local and the edu-ID identity.


The offboarding process is entirely independent on the chosen onboarding process!

See also the page about how to manage affiliations.

There are ways to undo the offboarding for a user / a set of users (without leaving a former affiliation behind).

A: SWITCH edu-ID pulls Status from Organisation

The attribute aggregator regularly polls an organizations' attribute provider. If a user with a current affiliation does not exist in the attribute provider anymore, he/she should be offboarded.

Robust implementation is an issue:
- make sure, the attribute provider (IdP, LDAP/AD, persistentID-DB) is running and responds correctly
- correctly interpret attribute query response of the attribute provider for a former organisation member

---> approach: the attribute aggregator stores the last two attribute query responses for each user. If three consequtive query responses tell that a user does not exist in the organisation (anymore), then the user is offboarded, and the current affiliation is moved to a former affiliation. Assuming one complete attribute query run per day, the max. delay for an offboarded affiliation is three days.

Question for organisation: How immediately is a users' dismissal propagated to the attribute provider?

B: Organisation pushes Status to SWITCH edu-ID

An organisation sends explicit offboarding messages to the edu-ID service via an API (similar to the onboarding message API Creation of a New Affiliation).

The users' affiliation is immediately removed and transformed into a former affiliation.