SWITCHaai Metadata

The metadata describe Identity Providers (IdP) and Service Providers (SP) of the respective federation. The files are updated hourly, usually every full hour.

SAML 2.0 metadata

SWITCHaai Federation
AAI Test Federation

The federation metadata files are digitally signed with the SWITCHaai Metadata Signer certificate. This certificate chains to the SWITCHaai Root CA certificate which should be configured as the trust anchor for PKIX-based validation of the metadata signature.

eduGAIN interfederation metadata for SWITCHaai participants

Configure the above listed eduGAIN interfederation metadata feed only if your SP or IdP is registered in the SWITCHaai federation and if it is interfederation enabled so that its metadata gets published via eduGAIN.
In case your service is registered in some other federation, ask its federation operator which feed to configure.

Update of Federation Metadata

AAI-enabled systems in the SWITCHaai federation are requested to update the metadata at least daily. Hourly updates are strongly recommended in order to support fast propagation of metadata changes.

Instructions for configuring the above metadata with an automatic hourly refresh and signature validation based on the SWITCHaai Root CA trust anchor can be found in our SP deployment guide and the IdP deployment guide, respectively (MetadataProvider elements in the XML configuration files).

If the SP or IdP downloading metadata is behind a firewall or proxy, please be aware that the IP address of the metadata.aai.switch.ch host may change without notice. Creating IP-based filter rules is therefore discouraged. Instead, we strongly recommend configuring the SP to use a proxy with the <TransportOption> element or the IdP to use a proxy.

Special Use Case

SWITCH edu-ID IdP Metadata only

The following metadata files get updated and are digitally signed the same way as the standard metadata files above.

SWITCH edu-ID IdP - registered in the SWITCHaai Federation
https://metadata.aai.switch.ch/entities/eduid contains only the SWITCH edu-ID IdP
SWITCH edu-ID [Test] IdP - registered in the AAI Test Federation
https://metadata.aai.switch.ch/entities/eduid-test contains only the SWITCH edu-ID [Test] IdP

If you use an ADFS SP, replace 'http' by https' in the above listed links.
ADFS ignores the digital signature embedded in the metadata file but insists on downloading the file from some https location.
Please note: After adding the link as 'Claims provider's federation metadata URL' ADFS will present you the warning
"AD FS Management: Some of the content in the federation metadata was skipped because it is not supported by AD FS. Review the properties of the trust carefully before you save the trust to the AD FS configuration database." .
Ignore this warning. Unfortunately, ADFS does not log any details which elements its XML parser skipped.