There are multiple approaches how an organizational user identity can be linked to the (personal part of the) edu-ID identity. For an organization that has integrated edu-ID - and is no longer operating its own IdP - it is required to establish a link.
The link for a user is established if
- the organization "knows" the edu-ID identifier of the user (only used to create a link)
- edu-ID "knows" the organizational-unique-Identifier of the user
After linking the organizational and the edu-ID identity, the edu-ID service creates a "current" organizational affiliation. The attributes in the current affiliation and the organizational identity are kept in sync - with the organization being the provider. SWITCH edu-ID offers multiple methods to manage and synchronize affiliations.
Organizational and edu-ID identity after linking
These linking methods are currently supported by SWITCH edu-ID
- Organizational Registration Form
- Organizational Linking Service with SP
- Organizational Linking Service with Token
- eduID-based Linking Service (under development)
- AAI-based Linking Service
- Manual Linking via eMail
With this approach, the organization offers a public registration web form. The basic idea is to make sure users have an edu-ID before they register at the university.
On a public information page, the user is asked to proceed to an edu-ID-protected registration page hosted by the organization. Users gains access to that page by authenticating with their edu-ID. If the user does not already have an edu-ID, it can be created on the fly.
As a result the user is redirected to the registration page and the organization gets the user's edu-ID identifier which can be stored in the local directory.
Later, if/when the user has been admitted, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.
Check these details about the registration page.
In this approach, the organization operates a linking service, which is a web page. The basic idea is to have a user authenticate at the organization, and then also at edu-ID. If both authentications succeed the link can be established.
The user is asked to go to a local protected web page hosted by the organization. The user accesses that page by authenticating against the local directory. If the edu-ID identifier is known for the user, the link has already been established and the user can stop. Otherwise, the user is informed that the link is missing and that it should be established by authenticating with the edu-ID. Users without an edu-ID can create one on the fly.
As a result the organization gets the user's edu-ID identifier which can be stored in the local directory. To complete the bidirectional link, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.
The detailed process of an organizational linking service is described here.
This linking approach is similar to the organizational linking service above. The main difference is that the web page (edu-ID authn) that requires authentication with edu-ID is hosted by SWITCH and not by the organization.
This approach may be preferable for organizations that don't want to operate a Sibboleth SP just for the linking service. The disadvantage compared to a proper SP is that the edu-ID login page can't be customized, and that the set of returned attributes is limited to the edu-ID identifier and the private email address.
The detailed process how an organization can obtain the edu-ID identifier in this scenario is described here.
This Service is curently under development. Planned release date: Summer 2022.
SWITCH edu-ID has a built-in linking service that can be used by organization members, who have an organizational email address.
With this method, a user navigates to the my edu-ID account page eduid.ch and adds the organizational email address. If an organization has been configured for this linking method, their email addresses are recognized by matching a pattern like "*@university.ch". The email address is used to fetch the according user record in the organizational directory, and a new current affiliation is created. The email address is only used to create an initial affiliation. For all subsequent update processes another unique identifier is used.
With this method, the organizational identity is unidirectionally linked to the edu-ID identity. The organization does not have to implement a linking service, and the implementation and operation of the attribute provider can be outsourced to SWITCH.
SWITCH edu-ID has a built-in linking service that can be used by organization members, who have an organizational SWITCHaai account.
With this method, a user navigates to the my edu-ID account page eduid.ch, selects 'Create account' and the proceeds with a common AAI login on the following page, as shown in the screenshots below. After successful authentication - and after the user has defined an edu-ID password -, an edu-ID account is created based on the attribute information of the user's AAI account.
Note that this method can only be used by organizations who run their own IdP in the federation. Organizations who have integrated edu-ID and hence migrated their IdP into edu-ID can't use this linking method.
In the manual linking approach, an email containing a user's edu-ID identifier is sent to HR, who has to manually add it to the organizational directory. It is divided into the following steps:
- The user is asked to visit a linking web-page, hosted by SWITCH. The invitations may be sent by email, by printed letter or any other means.
- To access the linking page a user needs to log in with his/her edu-ID. An edu-ID may have to be created on the fly, if the user does not already have one.
- The linking page contains some organization-specific explanation text - plus one button.
- By clicking on the button, an email is sent to a pre-defined email address containing the name and the edu-ID identifier of the user. Typically, the email recipient is a service desk at the organization's HR departement.
- The HR department checks incoming emails for their legitimacy.
- If the emal is legit, HR manually copies the user's edu-ID identifier to the user record in the oganizational directory.
- To complete the bidirectional link, the organization informs the edu-ID service about the new affiliation by calling the edu-ID affiliation REST API.
Advantages of this approach:
- Requires the least technical extensions
Drawbacks of this approach:
- Involves manual interactions and consequently does not scale well
- Prone to human errors
- Registration page is difficult to protect. It could be misused to spam/DOS the email recipient
The registration page can be protected with an alphanumeric PIN code. HR should make sure that the PIN is only disclosed to persons who are supposed to use the registration service. To protect the registration page please contact us.
Linking methods compared
|Applicable to link new members||Applicable to link current members|
|Organizational Registration Page||At registration||-|
|Organizational Linking Service
(with SP or Token)
|Before day X
After day X
|SWITCH Linking Service via AAI||-||Before day X|
|Manual Linking via email||
|Before day X
After day X