Identity Provider Hosting
You don’t want to invest the resources to maintain your own AAI Identity Provider?
Let SWITCH operate it for you!
The SWITCHaai Identity Provider Hosting allows organizations to outsource
operations and maintenance of an Identity Provider (IdP) to SWITCH. The service
is primarily targeted at small and medium sized institutions who are saving costs
by mandating SWITCH to run their Shibboleth-based Identity Provider.
How the institution's IT benefits
- Your organization runs a user directory
- Your organization is a SWITCHaai Participant and is entitled to run its own IdP in the SWITCHaai Federation
- IdP in redundant and secure environment
- Software and security updates managed by SWITCH
- Service monitoring and alerting
- SWITCH has extensive Shibboleth know-how
- Primarily targeted at small and medium sized institutions
- Authority and responsibility of user directory as well as attribute management and release policy remain at customer
- Connection to customer’s user directory usually by encrypted LDAP connection (other methods possible, e.g. relational database)
- Unbundled service with separate tariff/pricing
Questions and answers
Which institutions do you provide this service to?
The Identity Provider Hosting service is available for SWITCH Community members and for other SWITCHaai Participants entitled to run their own IdP in the SWITCHaai Federation.
Is the connection to the customer’s user directory secure?
The connection to the user directory is encrypted by TLS. The customer should additionally configure appropriate firewall rule.
Do you only support connections to the user directory by LDAP?
No. LDAP is the default connection type included in the base service (includes support for Microsoft Active Directory). If needed, SWITCH can also connect to other user directories, e. g. directories based on relational databases. Additional fees may then apply.
Do you provide high availability?
Yes – partly. The system is set up on two servers, located at two separate data centers. If one server fails, the other one can take over. Failover is provided on a best-effort basis.
It should be noted that the availability of the IdP service also depends on the availability of the customer’s user directory, including its network connectivity. SWITCH can therefore not make binding statements about the overall availability of the IdP service.
Where are the servers located?
The servers are located at two data centers in Switzerland.
Is user data stored on the servers at SWITCH?
No. The user directory is located at and operated by the customer. On the IdP, only data required for persistency of session handling and user consent to attribute releases as well as minimal logs are saved. Data protection is aspired as much as possible.
Are user passwords stored on the servers at SWITCH?
No. The IdP will only forward the passwords to the user directory of the customer. The password is not recorded during this process, and it is never stored on the IdP.
Does the customer still have the control about the attribute release policy?
The customer’s AAI administrators have full control about the attributes to be released by the IdP.
Does the end user have the control about the attributes sent to the service providers?
The customer can choose to enable the user consent module, so that the attributes to be sent to a service provider are subject to the user’s approval.
What are the remaining duties of the customer?
- The customer is responsible for operating the user directory and maintaining the accuracy of its data.
- The customer ensures the accessibility of the user directory for the IdP servers.
- The customer manages the attribute release policy at the AAI Resource Registry.
- The customer needs to operate a service desk for its end users.
Does SWITCH provide support for end users?
No. Users still need to contact the customer’s own service desk if they have problems or questions. The IdP Hosting service includes support for the organisation’s designated contact persons for IdP Hosting.
How much does this service cost?
IdP Hosting is an unbundled service, as defined in the Service Regulations for Services by SWITCH: https://www.switch.ch/uni/terms. For SWITCH Community members, there’s an annual fee consisting of a basic fee and a variable component depending on the number of employees and students. For other SWITCHaai Participants, a similar pricing model applies. The minimum term of contract is 3 years.
For further information about pricing, please contact the SWITCHaai Team.