The section linking methods describes various approaches how to establish a link between a user's local organizational identity and her edu-ID identity. The result of this linking process is that the organization "knows" the edu-ID identifier of each of their members. However, the link has to be bidirectional. The edu-ID service also has to "know" about a user who becomes member of an organization. This is done by adding the affiliation (identified by the organizational unique identifier) to a user's edu-ID identity.
When a user accesses a service provider, the edu-ID IdP must be able to deliver up-to-date organizational attribute information for that user. Therefore an organization synchronizes the complete set of orgnizational attributes to edu-ID via the push or pull method.
Approaches to update the Affiliation Status of Organization Members
The edu-ID service supports two basic methods to synchronize the list of current members at an organization with the current affiliations database at edu-ID: the Push Method and the Pull Method.
An organisation instantly sends attribute changes and status updates of an individual member to edu-ID. Whenever possible, it is recommended for an organization to use the push method.
The organization provides a list of all its current affiliations via the attribute provider interface. The edu-ID attribute aggregator regularly polls the organization’s attribute provider for affiliation information and status updates of their members. The attribute aggregator currently polls for updates once per day.
Special Case: Attribute Pull via SAML for non-migrated Organizations
Users can create edu-ID identities and link them to the organizational AAI account before an organization as a whole integrates edu-ID. Affiliations of these users are updated on a daily basis via SAML attribute queries on the organizational AAI IdP.
|Organization pushes attributes||
|edu-ID pulls attributes||
Typically, an organization decides to implement either push or pull. In some cases, an organization may want to combine the advantages of the two methods. It is possible - and sometimes preferable - to implement the push method to create an affiliation, whereas the affiliation update and deletion take place via pull.
The affiliation update are designed to cover the following identity management processes:
Organization → edu-ID push
edu-ID ← Organization pull
|Onboarding||SCIM API: POST request||AP-API: a member appears in list of affiliations|
|Attribute updates||SCIM API: PUT request||AP-API: attbutes have changed in list of affiliations|
|Offboarding||SCIM API: DELETE request||AP-API: a member diappears from list of affiliations|
|Blocking / unblocking||PUT: set swissEduIDAffiliationStatus to current or suspended||an affiliation is manually (un)blocked in the org-admin portal|
- SCIM (Affiliation) API: a REST-API based on the SCIM specification to update affiliations, provided by edu-ID
- AP-API: the organization provides access to user attributes via a simple http-based Attribute Provider API.
- org-admin interface: a web application where an organization can manage current affiliations.
In addition to the AP-API, the edu-ID service also provides a SAML interface in the pull-mode. In this case, the organization provides a SAML-IdP that responds to attribute requests. This interface is available on request for special purposes.