Organizational Linking Service with SP
This is a more detailed description of the organizational linking service.
To set up an organizational linking service an organization basically needs to implement two web pages
- This page is only accessible for intranet users with a valid intranet session of the organization.
- Since the user is identified, the page checks if the user has already linked the intranet account to the edu-ID. This is done by looking up the user in the local directory and checking if the edu-ID-Identifier (swissEduID) is known for that person.
- If the edu-ID identifier is known, the user is informed that linking has been done earlier. The basic message the user is:
You have already previously linked your edu-ID to your university account. If you are authorized you have access to services. When asked during the login, select your organisation from the list and log in with your edu-ID password. No further action is required now.
- If the edu-ID identifier is not yet known, then the user is asked to initiate the linking process. The basic message is:
Dear User, in order to access to various services you need a SWITCH edu-ID accont which is connected to your university account. By klicking 'continue' you will be asked to log in with your SWITCH edu-ID. If you don't already have a SWITCH edu-ID you can create one on the fly.
'Continue': link to linking-confirmation.
Between clicking on linking-confirmation and arriving on the page linking-confirmation a lot may happen for the user. The user is asked to log in with the edu-ID. If the user has no edu-ID he or she can create one on the fly. Finally the user will be asked permission to send the personal edu-ID data back to the page linking-confirmation. All these processes are handled by the edu-ID service.
- This page is only accessible if the user was able to log in with his or her SWITCH edu-ID account. This can be enforced in various ways:
- the page is a protected page in a shibboleth service provider. See SWITCHaai SP set-up and configuration guide.
- the page is a protected ADFS resource and configured for SAML.
- the page is a protected resource using other SAML implementations.
- Since the user is identified by edu-ID, the page has access to the assertion of a valid shibboleth session.
- Store the edu-ID identifier (swissEduID) that comes with the shibboleth session in the local directory.
- Complete the bidirectional linking by creating an affiliation through the affiliation API (Depending on the organization's IdM process this step may be optional)
- The basic message to the user is:
You have successfully completed the linking of your edu-ID to your university account. If you are authorized you have access to services. When asked during the login, select your organisation from the list and log in with your edu-ID password.
- To avoid problems of users sharing the same computer/browser the pages start-linking and linking-confirmation page should enforce re-authentication for each access, ie. disable SSO. This can be achieved by adapting the
shibboleth2.xmlconfiguration file of your Linking Service SP as follows (see also https://wiki.shibboleth.net/confluence/display/SP3/SSO)
<SSO entityID="https://eduid.ch/idp/shibboleth" forceAuthn="true"> SAML2 </SSO>
- The linking-confirmation page should be configured
- to accept only the private part of a edu-ID identity
- to require the Attribute swissEduID. Send a email to email@example.com to have the attribute activated by SWITCH staff.
- For the Shibboleth SP, make sure to have the required attributes (swissEduID and possibley others) configured in the attribute-map.xml file. Get a current version of this file from the section Quick Configuration Files Download of the SWITCHaai SP configuration guide.
Example linking service
The following screenshot series illustrates the linking process at an organization. The university of Lucerne has kindly granted us permission to publicly show their implementation of the linking service.