Technical accounts

A technical account is a SWITCH edu-ID account used primarily for testing, debugging or monitoring purposes. Once created, technical accounts can be managed like normal edu-ID user accounts. The differences to normal accounts are:

  • they should not represent real persons
  • they are owned by an organisation and are created by administrators of the organisation
  • their identifier attribute values (swissEduPersonUniqueID, swissEduID) start with '0000'
  • they have an eduPersonEntitlement value of the form
    where homeOrgName represents the scope of the home organisation responsible for the account according to its swissEduPersonHomeOrganisation value. Examples:
    This attribute is released to every service, even if this attribute is not requested. This is to ensure that services know that this is a technical account even if they don't process the swissEduPersonHomeOrganisation attribute.
    Please note that the entitlement value is automatically released for the personal part of a technical account only. If a technical account is linked with an organisational affiliation and if this affiliation then is used to access a service, the entitlement is not added to the set of available attributes. If the entitlement is required in the affiliation it has to be provisioned by the organization via the affiliation update mechanism.
  • the administrators (and the organisation owning the technical account) are responsible and liable for the technical account's use
  • the duplicate prevention heuristic is disabled for technical accounts, and they are never merged to resolve a potential duplicate conflict.

Please also note that technical edu-ID accounts:

  • must always have a primary e-mail address for which e-mail messages are read. This is to ensure that the owners of a technical account can be contacted
  • consist primarily of a private edu-ID account. If one links organisation affiliations/identities to a technical account, the organisations whose affiliation was linked is also fully responsible for the use of this linked affiliation/identity
  • must only be used to access services whose administrators have in advance been informed about the existence of this technical account
  • are reviewed twice a year by the home organisation administrators of the organisation owning them

Managing technical accounts

Technical accounts can only be created by (Home Organization) administrators of a SWITCHaai member organisation (people registered as administrators on the AAI Resource Registry). Most function and features can be managed either in the web interface or via the Users API:

Protecting technical accounts

We recommend to use Two-Step Login with the "Authenticator app codes" mode for your technical accounts.
It's easy to handle multiple accounts in an authenticator app. Give a descriptive name to the corresponding profile in your app before you add the next profile/account.

NOTE: FreeOTP does not yet handle multiple accounts properly. Therefore, we recommend that you install one of the other apps for the use of technical accounts.

Restricting technical accounts

Read only accounts

Home Organisation administrators can configure technical accounts in a way that they can no longer be modified by somebody who has credentials for this account. These read-only accounts can be used to access AAI services but their user data cannot be modified on My edu-ID.

Restrict permitted service providers

Home Organisation administrators can restrict acces of technical accounts to a set of permitted service providers. To restrict the access, a list of entity-IDs of the permitted services is to be defined.