Linking Methods

There are multiple approaches how an organizational user identity can be linked to the (personal part of the) edu-ID identity. For an organization that has integrated edu-ID - and is no longer operating its own IdP - it is required to establish a link.

The link for a user is established if

  • the organization "knows" the edu-ID identifier of the user (only used to create a link)
  • edu-ID "knows" the organizational-unique-Identifier of the user

After linking the organizational and the edu-ID identity, the edu-ID service creates a "current" organizational affiliation. The attributes in the current affiliation and the organizational identity are kept in sync - with the organization being the provider. SWITCH edu-ID offers multiple methods to manage and synchronize affiliations.

 

linking-model

Organizational and edu-ID identity after linking

 

Save

Save

Save

Save

Save

Save

Save

Save

Save

 

These linking methods are currently supported by SWITCH edu-ID

Organizational Registration Form

With this approach, the organization offers a public registration web form. The basic idea is to make sure users have an edu-ID before they register at the university.

On a public information page, the user is asked to proceed to an edu-ID-protected registration page hosted by the organization. Users gains access to that page by authenticating with their edu-ID. If the user does not already have an edu-ID, it can be created on the fly.

As a result the user is redirected to the registration page and the organization gets the user's edu-ID identifier which can be stored in the local directory.

Later, if/when the user has been admitted, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.

Check these details about the registration page.

 

Organizational Linking Service with SP

In this approach, the organization operates a linking service, which is a web page. The basic idea is to have a user authenticate at the organization, and then also at edu-ID. If both authentications succeed the link can be established.

The user is asked to go to a local protected web page hosted by the organization. The user accesses that page by authenticating against the local directory. If the edu-ID identifier is known for the user, the link has already been established and the user can stop. Otherwise, the user is informed that the link is missing and that it should be established by authenticating with the edu-ID. Users without an edu-ID can create one on the fly.

As a result the organization gets the user's edu-ID identifier which can be stored in the local directory. To complete the bidirectional link, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.

The detailed process of an organizational linking service is described here.

 

Organizational Linking Service with Token

This linking approach is similar to the organizational linking service above. The main difference is that the web page (edu-ID authn) that requires authentication with edu-ID is hosted by SWITCH and not by the organization.

This approach may be preferable for organizations that don't want to operate a Sibboleth SP just for the linking service. The disadvantage compared to a proper SP is that the edu-ID login page can't be customized, and that the set of returned attributes is limited to the edu-ID identifier and the private email address.

The detailed process how an organization can obtain the edu-ID identifier in this scenario is described here.

eMail-based Linking Service

SWITCH edu-ID has a built-in linking service that can be used by organization members, who have an organizational email address.

With this method, a user navigates to the my edu-ID account page eduid.ch and adds the organizational email address. If an organization has been configured for this linking method, their email addresses are recognized by matching a pattern like "*@university.ch". The email address is used to fetch the according user record in the organizational directory, and a new current affiliation is created. The email address is only used to create an initial affiliation. For all subsequent update processes another unique identifier is used.

With this method, the organizational identity is unidirectionally linked to the edu-ID identity. The organization does not have to implement a linking service.

To synchronize attributes, this linking method is compatible with pull with organizational attribute provider and pull with hosted attributed provider.

Details of the eMail-based linking method are described here.

eduid-based-linking2 

Manual Linking via mail message

In the manual linking approach, an email containing a user's edu-ID identifier is sent to HR, who has to manually add it to the organizational directory. It is divided into the following steps:

  1. The user is asked to visit a linking web-page, hosted by SWITCH. The invitations may be sent by email, by printed letter or any other means.
  2. To access the linking page a user needs to log in with his/her edu-ID. An edu-ID may have to be created on the fly, if the user does not already have one.
  3. The linking page contains some organization-specific explanation text - plus one button.
  4. By clicking on the button, an email is sent to a pre-defined email address containing the name and the edu-ID identifier of the user. Typically, the email recipient is a service desk at the organization's HR departement.
  5. The HR department checks incoming emails for their legitimacy.
  6. If the emal is legit, HR manually copies the user's edu-ID identifier to the user record in the oganizational directory.
  7. To complete the bidirectional link, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.

Advantages of this approach: 

  • Requires the least technical extensions

Drawbacks of this approach:

  • Involves manual interactions and consequently does not scale well
  • Prone to human errors
  • Registration page is difficult to protect. It could be misused to spam/DOS the email recipient

The registration page can be protected with an alphanumeric PIN code. HR should make sure that the PIN is only disclosed to persons who are supposed to use the registration service. To protect the registration page please contact us.

 

Linking methods compared

  Implementation and operation possible  attribute syncing methods
Organizational Registration Page by university push or pull
Organizational Linking Service
(with SP or Token)

by university

push or pull
eMail-based Linking

by SWITCH

pull with organizational AP
pull with hosted AP
SWITCH Linking Service via AAI by SWITCH pull via SAML
Manual Linking via mail message

by SWITCH

push or pull

 

Save