Processes to link current members to edu-ID

An organisation that adops SWITCH edu-ID needs to provide mechanisms to link local identities of new members (staff, students etc.) to edu-ID identities. Existing members of an organisation usually are treated differently because they already have an local organizational account and in most cases they also have a SWITCHaai account.

In the scenarios below Day X denotes the flag day, when the edu-ID IdP takes over the organisational SWITCHaai IdP and henceforth the organisation members log-in with their edu-ID to access to services. After Day X, the organisation does not operate a Shibboleth IdP anymore.

The sections below describe different aproaches to equip organisation members with an edu-ID that is linked to the local organisational account.

Link current members before day X

  1. Users are asked to go to their edu-ID account. If they don't already have an edu-ID, they should create an account first.
  2. using the aai account linking service users link their aai account to the edu-ID
  3. at Day X edu-ID sends a list of all aai-uniqueID with their associated edu-ID identifiers to the organisation
  4. the organisation imports the list and associates the edu-ID identifier of each member to the local user identities

Save

Save

Save

Save

Save

Save

Save

Save

Save

 

Remarks:

  • The organisation members are invited to become active and create and link their identities. Not all users may follow these instructions.
  • edu-ID can send an organisation a list of users who have an edu-ID organisational link. Based on that list, the organisation can determine which members don't have a linked account, and resend the account linking invitation.

Link current members at day X

  1. edu-ID sends the organisation a list of users who already have an edu-ID organisational link
  2. The organisation imports the list and associates the edu-ID identifier of each member to the local user identities
  3. For all members who are not in the imported list, the organisation creates an edu-ID with organisational link at day X.

 Remarks:

  • There's a considerable risk to create duplicates: edu-ID can only determine users who have an edu-ID with a link to a specific organisation. It is not possible to automatically determine organisation members who do have an edu-ID account that is just not yet linked to the organisation. With this linking aproach, users who already have an edu-ID will get another edu-ID created by the organisation.
  • The organisation creates edu-ID accounts for some of their members which contradicts the edu-ID user centric paradigm.

Link current members after day X

  1. edu-ID sends the organisation a list of users who already have an edu-ID organisational link
  2. The organisation imports the list and associates the edu-ID identifier of each member to the local user identities
  3. All members who are not in the imported list will lose their federation account on Day X. They are invited to use a linking service where they can create an edu-ID and link it to the local organisational identity.

Remarks:

  • With this approach it is likely, that not all organisation members do have a linked edu-ID. Without federation account they will not have access to services in the federation.

Comparison

Approach Advantages
Link before Day X
  • all organisation members have a federation account after the adoption
  • users have created their edu-ID and are aware of it
  • low risk of creating duplicate edu-ID accounts
Link at Day X
  • members don't have to become active
  • all organisation members have a federation account after the adoption
Link after Day X
  • only members who need a federation account have one
  • users have created their edu-ID and are aware of it
  • low risk of creating duplicate edu-ID accounts
   

Note that different linking approaches can be combined. For example, an organization could try to have as many members as possible create and link their edu-ID on their own (approach "link before Day X"). For all members who do not have a linked edu-ID on Day X, the organisation creates one (approach "link at Day X").