AAI Tools

Table of Contents
These tools and services are developed and operated by SWITCH.

AAI Attribute Viewer

The AAI Attribute Viewer is a service operated by SWITCH that simply displays all the attributes that are available for a user. The service will request all attributes for a user, however, which attributes an organisation releases for a user depends on the organisation's attribute release policy.
The AAI Attribute Viewer also shows (group) attributes aggregated from the SWITCHtoolbox. In addition, descriptive organisation attributes part of the SAML metadata are shown as well.

Access the AAI Attribute Viewer

Resource Registry - A Federation Manager, a web application

The Resource Registry is a central repository containing data about the identity providers (IdP) and service providers (SP) available within SWITCHaai. It collects general information about IdPs and SPs, such as the organization it belongs to and contact information. Additional data, e.g. description and purpose, is gathered for SPs. For data protection reasons, the owners of SPs have to declare the minimal set of attributes their SP requires. The Resource Registry implements a process for gathering and approving such declarations. The data is then used to generate the metadata files and attribute release policy files used by a majority of IdPs in the federation. These attribute filter files are important to comply with data protection and privacy requirements. While these files could also be managed locally (by each server administrator in the federation), the Resource Registry greatly simplifies that process and improves reliability.

More about the Resource Registry

Virtual Home Organization Service

In some cases there are users that don't have an AAI account but need access to an AAI-enabled resource. In that case the Virtual Home Organization (VHO) Service may be used. The VHO lets administrators create and maintain AAI accounts via a web interface. The attributes of VHO users mark them as special and in general they just have access to a particular resource.

More about the VHO Service

Swiss edu-ID

The Swiss edu-ID is a digital identity SWITCH is developing for persistent use by university members. It is designed to be secure and recognised worldwide. The Swiss edu-ID service allows users to create an account with self-registration. In contrast to the Virtual Home Organization where a VHO group administrator creates and manages the accounts, the Swiss edu-ID is user-centric and allows any user with a valid email address to create and manage his own account. Some data of a Swiss edu-ID account can be verified or linked with exististing AAI or social network identities, which then increases the level of assurance of an edu-ID identity.

More about the Swiss edu-ID

Discovery Service Options for SWITCHaai

The comparison between the different discovery services may help you to find the suitable solution for your SP. To guide the users from a service provider to her/his identity provider, SWITCHaai provides an official Central "Where Are You From" (WAYF) service. See it in action with the Attribute Viewer.
The implementation developed by SWITCH (BSD license) has several additional features compared to the official Shibboleth WAYF from Internet2. It's a lightweight PHP implementation that supports multiple languages and several ways of preselecting an identity provider.

More about the Discovery Service Options for SWITCHaai

SWITCH Embedded WAYF

The WAYF supports a feature called Embedded WAYF that allows easy integration directly into a web resource.

More about the Embedded WAYF

Processing/extracting metadata information with XSLT

The metadata for the SWITCHaai federation include useful information about the participating organizations, which applications can potentially take advantage of – but they might need it in a somewhat different format. In this case, an XSL transformation comes in handy for quickly extracting the relevant information: as an example, this XSL stylesheet extracts the DNS domain names from the DomainHint elements of all identity providers of the federation and outputs a list of the DNS domains with the entityId of the respective IdP:
<idps>
  <idp domain="bfh.ch">https://aai-logon.bfh.ch/idp/shibboleth</idp>
  <idp domain="campus-kreuzlingen.ch">https://aai-logon.phtg.ch/idp/shibboleth</idp>
  <idp domain="chuv.ch">https://idp.chuv.ch/idp/shibboleth</idp>
  <idp domain="cscs.ch">https://aai-logon.ethz.ch/idp/shibboleth</idp>
  ...
</idps>
XSL transformations can be applied in many environments or applications. For testing purposes, the xsltproc command-line tool can be used to apply an XSL transformation:
xsltproc domain_to_idp_entityid.xsl metadata.switchaai.xml
Note that the output of an XSL transformation doesn't necessarily have to be another XML document, it is also possible to generate plain-text output.