AAI Tools

Table of Contents
These tools and services are developed and operated by SWITCH.

AAI Attribute Viewer

The AAI Attribute Viewer is a service operated by SWITCH that simply displays all the attributes that are available for a user. The service will request all attributes for a user, however, which attributes an organisation releases for a user depends on the organisation's attribute release policy.
The AAI Attribute Viewer also shows (group) attributes aggregated from the SWITCHtoolbox. In addition, descriptive organisation attributes part of the SAML metadata are shown as well.

Access the AAI Attribute Viewer

uApprove - IdP user consent extension

uApprove (BSD license) is a tool which gets the user's consent before releasing his/her attributes to a Shibboleth Service Provider. From the user's point of view he/she has to press an "OK" button in order to allow the transfer of the attributes. The user also has the option to release all attributes to all Service Providers, such that he/she will never be asked again. Experience shows that a large fraction of users prefer this option.
In addition, the Identity Provider administrator can also configure the uApprove such that the user has to accept the "Terms of Use" of the Identity Provider once before he/she can access any Service Providers.

More about uApprove

Group Management Tool (GMT)

The Group Management Tool (GMT) is a web application developed (BSD license) by SWITCH to create and manage groups of Shibboleth users from many different Identity Providers. The group information can be used by other web applications to make access control decisions. This is on one hand accomplished by generating Apache .htaccess files to restrict access to web server directories based on the unique ID of a user. On the other hand, the group information can be queried by a remote hosts via a PHP or Perl interface.

More about the Group Management Tool

Resource Registry - A Federation Manager, a web application

The Resource Registry is a central repository containing data about the identity providers (IdP) and service providers (SP) available within SWITCHaai. It collects general information about IdPs and SPs, such as the organization it belongs to and contact information. Additional data, e.g. description and purpose, is gathered for SPs. For data protection reasons, the owners of SPs have to declare the minimal set of attributes their SP requires. The Resource Registry implements a process for gathering and approving such declarations. The data is then used to generate the metadata files and attribute release policy files used by a majority of IdPs in the federation. These attribute filter files are important to comply with data protection and privacy requirements. While these files could also be managed locally (by each server administrator in the federation), the Resource Registry greatly simplifies that process and improves reliability.

More about the Resource Registry

Virtual Home Organization Service

In some cases there are users that don't have an AAI account but need access to an AAI-enabled resource. In that case the Virtual Home Organization (VHO) Service may be used. The VHO lets administrators create and maintain AAI accounts via a web interface. The attributes of VHO users mark them as special and in general they just have access to a particular resource.

More about the VHO Service

Swiss edu-ID

The Swiss edu-ID is a digital identity SWITCH is developing for persistent use by university members. It is designed to be secure and recognised worldwide. The Swiss edu-ID service allows users to create an account with self-registration. In contrast to the Virtual Home Organization where a VHO group administrator creates and manages the accounts, the Swiss edu-ID is user-centric and allows any user with a valid email address to create and manage his own account. Some data of a Swiss edu-ID account can be verified or linked with exististing AAI or social network identities, which then increases the level of assurance of an edu-ID identity.

More about the Swiss edu-ID

Discovery Service Options for SWITCHaai

The comparison between the different discovery services may help you to find the suitable solution for your SP. To guide the users from a service provider to her/his identity provider, SWITCHaai provides an official Central "Where Are You From" (WAYF) service. See it in action with the Attribute Viewer.
The implementation developed by SWITCH (BSD license) has several additional features compared to the official Shibboleth WAYF from Internet2. It's a lightweight PHP implementation that supports multiple languages and several ways of preselecting an identity provider.

More about the Discovery Service Options for SWITCHaai


The WAYF supports a feature called Embedded WAYF that allows easy integration directly into a web resource.

More about the Embedded WAYF

AAI for Mobile Apps

Up-to-now, apps on mobile devices like smartphones and tablets can only make use of AAI through a web browser. With 'AAI for Mobile Apps' up-to-date AAI attributes should become available to Apps without having the user to authenticate via a web browser.
By deploying a 'Mobile Proxy' server which is access protected by a Shibboleth SP and supports a subset of OAuth2.

More about 'AAI for Mobile Apps'

RemoteUserFilter for IdP

If the users on the Identity Provider side are authenticated against Active Directory, Kerberos or some older CAS versions, it may be necessary to modify the login name that is read by Shibboleth from the REMOTE_USER environment variable. For example, the user may enter john.d@someschoool.com (Kerberos username@REALM.XY) or otherschool\jane.d (Windows domain\samaccountname) as login name. However, if the username in the user directory is stored without the realm or domain, Shibboleth cannot fetch the proper attributes for this user. Therefore, one has to cut off the realm or domain from the entered login name. This can be done by the RemoteUserFilter.
The filter (BSD license) is basically placed between CAS (or another authentication system) and the Shibboleth Identity Provider and overwrites the getRemoteUser() function of a servlet request in order to modify the login name.

Remote User Filter for IdP

Download the RemoteUserFilter

X.509 login handler

Strong authentication with X.509 user certificates for Shibboleth IdP 2. SWITCH has contributed the "X.509 login handler" to the Shibboleth project.

Find the documentation and the link for the source code on the Shibboleth 2 Wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/X.509+Login+Handler

SWITCHaai JXPlorer Template

JXPlorere Template screenshot

Download SWITCHaai SwissEdu Schema Template for JXplorer

Shibboleth Log Viewer

Many things can go wrong when setting up a Shibboleth Identity Provider or Service Provider. In order to make the log entries of IdPs and SPs available to other Shibboleth administrators for debugging purposes, SWITCH has developed the "Shibboleth Log Viewer" (BSD license). This set of scripts (CGI PERL script and Javascript AJAX) can read and parse the Shibboleth log file. It's almost like the UNIX 'tail' command but the script also does syntax highlighting and auto-indenting of SAML messages. If you want to see it in action (best use Firefox), open the SP Log or IDP Log and access in a second web browser window a Shibboleth 2 Resource (use demouser/demo as login name/password)

Processing/extracting metadata information with XSLT

The metadata for the SWITCHaai federation include useful information about the participating organizations, which applications can potentially take advantage of – but they might need it in a somewhat different format. In this case, an XSL transformation comes in handy for quickly extracting the relevant information: as an example, this XSL stylesheet extracts the DNS domain names from the DomainHint elements of all identity providers of the federation and outputs a list of the DNS domains with the entityId of the respective IdP:
  <idp domain="bfh.ch">https://aai-logon.bfh.ch/idp/shibboleth</idp>
  <idp domain="campus-kreuzlingen.ch">https://aai-logon.phtg.ch/idp/shibboleth</idp>
  <idp domain="chuv.ch">https://idp.chuv.ch/idp/shibboleth</idp>
  <idp domain="cscs.ch">https://aai-logon.ethz.ch/idp/shibboleth</idp>
XSL transformations can be applied in many environments or applications. For testing purposes, the xsltproc command-line tool can be used to apply an XSL transformation:
xsltproc domain_to_idp_entityid.xsl metadata.switchaai.xml
Note that the output of an XSL transformation doesn't necessarily have to be another XML document, it is also possible to generate plain-text output.