Below, the term federation is described and the difference between the SWITCHaai and AAI Test federations is explained.

A federation is a collection of organizations that agree to interoperate under a certain rule set. Federations will usually define trusted roots, authorities and attributes, along with distribution of metadata representing this information. In general each organization participating in a federation operates one Identity Provider for their users and any number of Service Providers.


Federations are not required for the use of Shibboleth but can facilitate exchange greatly.

SWITCH currently operates two federations: the SWITCHaai Federation in the production infrastructure and the AAI Test Federation in the test infrastructure.

SWITCHaai federation vs. AAI Test federation

SWITCHaai Federation

The SWITCHaai Participants belong either to the SWITCH Community or they became SWITCHaai Federation Partner.

Since personal data (the attributes) gets processed within SWITCHaai, a proper legal framework is required. It is provided by the SWITCHaai Service Description and its related documents.

Policies and the legal framework of SWITCHaai are defined with the aid of the AAI Advisory Committee, which represents the interests of the SWITCHaai Participants from the SWITCH Community.

Technical aspects of the federation are discussed in the AAI Community Group, which is composed of representatives of SWITCHaai Participants from the SWITCH Community.

SWITCHaai legal and technical document repository

Technical Framework

In order to allow interoperation of the involved systems, an Attribute Specification has been defined.
The metadata describes Identity Providers and Resources available in SWITCHaai. SWITCH provides official SWITCHaai metadata files in XML-format and digitally signed. These files are used by Shibboleth to determine valid systems to communicate with. The metadata is generated using the Resource Registry, a tool to collect information about all Identity Providers and Resources in the federation. The Resource Registry also generates tailored Attribute Release Policy (ARP) files for each Identity Provider.
Accepted Certificates
Each host being part of SWITCHaai needs for the SAML communication a certificate according to the SWITCHaai Certificate Acceptance Policy. If you decide to use SWITCHpki, please follow the steps as described in 'How to obtain a SWITCHpki server certificate'.

Joining SWITCHaai

The procedure to become part of SWITCHaai is described on: How to join SWITCHaai

The List of SWITCHaai Participants

AAI Test Federation


As the name implies, this federation is for test and development purposes. There are no formal requirements to participate in the AAI Test Federation. However, it does not provide any trust or security whatsoever.

User Data

For data protection and security reasons it is not recommended to have real users in the AAI Test federation.

Technical Framework

The same Attribute Specification is valid for the AAI Test Federation as for the production SWITCHaai Federation.
As for the SWITCHaai Federation, SWITCH provides up to data metadata files that were directly generated using the Resource Registry.

Joining AAI Test Federation

Since the AAI Test Federation is not a production Federation there are no formal requirements to join. On the other hand it is intended for tests with the goal to later join the production federation with a production IdP or SP. Basically, setting up a Shibboleth Identity Provider or Service Provider for the AAI Test Federation (see Technical Information page) and registering with the Resource Registry is all that is needed.

If you do not intend to later join the production SWITCHaai Federation, better turn to TestShib to test your SAML IdP or SP setup.