Frequently Asked Questions

User's FAQ

Technician's FAQ


User's FAQ

I cannot login / forgot my password. Who can help me?

Please turn to the helpdesk at your organisation. In doubt, consult the list of helpdesks.

What about privacy and data protection?

All the organisations participating in SWITCHaai are part of the same legal framework. The common ground is the SWITCHaai Service Description that covers in section 9.6 Data privacy and protection of personal rights the respective obligations.

What concerns the technology, security has also been implemented: SWITCHaai is based on the Security Assertion Markup Language (SAML) and the open-source software Shibboleth that implements SAML with a tight security concept bydesign. All user data exchanged between components involved is encrypted using secure SSL connections.

Which web resources can I access with my AAI-enabled account?

Some representative web resources are listed on the web resources page. A complete - but uncommented - list can be found in the AAI Resource Registry.

What do I have to do to get an AAI account?

If your Home Organization participates in the SWITCHaai Federation, you are automatically registered as an AAI user. User name and password are the same as for your account at your Home Organization. Check out the list of Home Organization's contact addresses. For more information, see the Join SWITCHaai section.

Technician's FAQ

What is "Shibboleth"?

Shibboleth is the open-source software used primarily by SWITCHaai. Together with the Security Assertion Markup Language (SAML) it provides the technical framework for SWITCHaai. For more information about Shibboleth, see the What's Shibboleth and How Shibboleth Works.

What happens when I access an AAI Resource?

When you try to access an AAI-enabled resource, your web browser is redirected to your Home Organization, you may have first to choose your Home Organization on the "Where Are You From" Server (WAYF). As soon as you have logged in, you are redirected back to the resource. Notice that once you have successfully authenticated, you don't have to repeat the process for other resources but can access them directly, provided your Home Organization has a single sign-on system implemented and you don't close your web browser in-between.
If you are interested in more details visit our demonstration site.

I submitted a form on an AAI-enabled resource, but the form data was not sent. What happened?

As an AAI-authenticated user you have a Shibboleth session set up. If this session expires, the web browser is redirected to your Home Organization to renew the session. During this process the submitted data may get lost and the Resource may react as if no data were submitted. You then either can fill out the form again or try to go back in your web browser until you find the page that contains the filled out form and submit it again. If this effect occurs often, you should contact the administrator of the Resource and ask him to increase the Shibboleth session timeout.

How does OpenID relate to SWITCHaai?

The document Digital Identities, SWITCHaai and OpenID introduces the terminology, covers characteristics of digital identities and discusses how SWITCHaai and OpenID relate to each other.

Does AAI need to store cookies?

Yes, AAI needs to store cookies in your web browser's cookie store. Only with cookies it is possible to reliably save the state whether a user has already been authenticated or not.

For which servers are cookies required and how long are they stored?

The involved AAI components will store multiple cookies for the following domains:

  1. The login site of your Home Organization. The cookie stores a session ID that is needed to know whether you are already authenticated or not. This cookie is required.
  2. The web server hosting the resource you want to access. Cookie stores a session ID and potentially the URL that you requested before being authenticated. This cookie is required.
  3. The WAYF Service stores your most recently selected Home Organization and resource. This allows the WAYF service to pre-select them the next time you return to the WAYF service. That way, you only need a single click to continue. This cookie is not mandatory to be saved but enhances usability. The names of these cookies are _saml_idp and _saml_sp


All cookies are so-called session cookies, except the one from the discovery service (WAYF) which is a persistent cookie. The session cookies exist only for the current web browser session. As soon as you close your web browser, they will be deleted and you have to authenticate again when accessing an AAI-protected service.
As mentioned above, the WAYF cookies only contain the IDs of the most recently accessed Home Organizations and Resources. These IDs are unpersonal and generic. They don't contain any information about you and they only can be read by web pages operated within the switch.ch domain.

Does AAI need JavaScript?

No, AAI does not need JavaScript to work properly. However, if JavaScript is disabled, one additional click will be needed when accessing a resource protected by AAI. Just after authentication at your Home Organization, your browser is sent back to the resource using a hidden HTML form. When JavaScript is enabled, this form is automatically submitted after the page is loaded. If JavaScript is disabled, the user has to click on the submit button to achieve the same thing manually.