Classic Attribute Model

The classic attribute model of the SWITCH edu-ID has been designed to be compatible with services in the SWITCHaai federation that "know" nothing of edu-ID. These services can be accessed by users with edu-ID the same way as before with the organizational SWITCHaai account. The only difference from a user perspective is that authentication happens at the SWITCH edu-ID IdP instead of the organizational IdP.

With the classic attribute model, a service gets attribute information compliant to the SWITCHaai attribute specification. From the perspective of the service, it just gets an attribute assertion from one HomeOrg. In the diagram below, this would be an assertion from either HomeOrg UniA (A), or HomeOrg UniB (B) or HomeOrg eduid.ch (P). No configuration changes or other adaptations are necessary to support users with an edu-ID account.

Configuration Options

Classic attribute model

With the classic, university members only configuration, a service only gets the assertion from one current affilation of a user. If a user has more than one affiliation, the SWITCH edu-ID affiliation chooser kicks in where the user picks the desired affiliation to access the service. Users without at least one current affiliation are denied access.

In the diagram above, the service would either get the attribute assertion A or B, depending on the user's choice in the discovery service or the affiliation chooser.

Note that the type of accepted home organizations can be further specified in the intended audience setting in the resource registry.

edu-ID Only

With the edu-ID only configuration, a service gets the assertion from the personal part of an edu-ID identity - regardless of any current affiliations.

In the diagram above, the service would only get the attribute assertion P.

Note that a service can request additional attributes (the red dashed box above) that are typically only supported by the edu-ID IdP like group membership, attribute quality statements or the ORCID identifier.

Optionally, a service can get limited affiliation information from linked current affiliations by configuring and evaluating the following attributes:

  • the list of organizational unique-IDs (swissEduIDLinkedAffiliationUniqueID)
  • the list of organizational email addresses (swissEduIDLinkedAffiliationMail)
  • the list of organizational scoped-affiliations (swissEduIDLinkedAffiliation)

All users allowed

With the all users allowed configuration, a service gets the assertion from the personal part of an edu-ID identity or from the current affilation of a user. If a user has one or more affiliations, the SWITCH edu-ID affiliation chooser kicks in where the user picks the desired part of the identity to access the service.

In the diagram above, the service would either get the attribute assertion A, B or P.