Deployment Information for Federation Partners

While the page on how to become a Federation Partner outlines the legal aspects of joining SWITCHaai as a Federation Partner, this page provides an overview on how to install a Shibboleth Service Provider and configure one or more Resources for SWITCHaai.

Technical steps

  1. Shibboleth Demo (optional)
    If you are not yet familiar with the principle of federated identity management, you may have a look at our AAI demo page. This usually helps people who are new to Shibboleth to understand some basics about federated identity management and how Shibboleth works.

  2. Certificate
    In order to participate in SWITCHaai you need a certificate, which can be used for client authentication. SWITCH recommends to use a self-signed certificate. Most X.509 certificates used for web servers support c.ient authentiction and can be used as well.
    For the details, check out the certificate acceptance rules.
    In case of questiions, contact the SWITCHaai Team.

  3. Data protection
    AAI Attributes are the common basis on which two communicating entities are able to share information they know to interpret identically. The resource owner's first and foremost duty regarding attributes is privacy and data protection. For user privacy only request as few attributes as needed.

    For publishers, the attributes eduPersonEntitlement in combination with the IdP's EntityID or the swissEduPersonHomeOrganization should be sufficient in most cases. The attribute eduPersonEntitlement contains the value urn:mace:dir:entitlement:common-lib-terms for all university members authorized to access licensed content from publishers.

    For other Federation Partners, if you need a user identifier please request the persistent ID. Attributes often needed to decide whether a person gets educational discount for a shop operator are the attributes swissEduPersonHomeOrganizationType and eduPersonAffiliation or eduPersonScopedAffiliation. If you have any questions regarding attributes or you think you require more attributes, please contact us.

  4. Installing Shibboleth
    We provide deployment guides to install Shibboleth for several platforms (Windows, Linux). These guides can be found on the Service Provider Deployment page.
    They describe how to configure Shibboleth for the production SWITCHaai Federation.

  5. Register Resource
    Finally, the Resource has to be registered with the Resource Registry. This is initiated by SWITCH and you will receive further instructions on how to accomplish this. First, you should send an email to containing the following information:

    Organization Details
    • Organization name
    • Link to official Homepage
    • Short description of organization
    • Organization name and URL
    Resource Details
    • Name of resource
    • Short description of resource
    • Shibboleth providerID/entityID (standard convention
    Technical contact person information
    • Given name and surname
    • Postal address
    • Telephone number
    • Email address
    SAML Metadata of the SP
    • Include the SAML Metadata file for the SP you configured

    In order to register with the Resource Registry, the technical contact person should self-register a personal SWITCH edu-ID account. Further technical contact persons can self-register their own personal accounts. The first administrator can invite them all to adopt the role as resource administrator to be able to further modify the entry in the Resource Regsitry.
    Once the Resource is registered by this technical contact person and approved by the sponsoring SWITCHaai Participant from the SWITCH Community, the published metadata will contain a description of your Resource. Thus, all SWITCHaai Identity Providers will know the new Service Provider as soon as they refresh their metadata the next time. This happens once per hour.


If you have any questions or problems, feel free to contact us by phone +41 44 268 1505 or email (