Updating affiliations

The page link new members describes various approaches how to establish a link between a user's local organizational identity and her edu-ID identity. The result of this linking process is that the organization "knows" the edu-ID identifier of each of their members. However, the link has to be bidirectional. The edu-ID service also has to "know" about a user who becomes member of an organization. This is done by adding the affiliation (identified by the organizational unique identifier) to a user's edu-ID identity.

 

Bidirectional Linking of organizational accounts with edu-ID

When a user accesses a service provider, the edu-ID IdP should be able to deliver up-to-date organizational attribute information for that user. It has not been decided yet if the edu-ID IdP reads attribute information either

  • on the fly from the organization,
  • from a temporary cache, or
  • from a central directory with a complete copy of organizational attributes.

Independently of where the IdP reads attributes, edu-ID protocols - the push and the pull method - to transfer attribute data from an organization to edu-ID.

Approaches to update the affiliation status of organization members

The edu-ID service supports two basic methods to synchronize the list of current memebers at an organization with the current affiliations database at edu-ID: the push method and the pull method. It should be noted that an organization must choose one of the two methods. Push and pull can't be combined.

Organization pushes affiliations to edu-ID

An organisation instantly sends attribute changes and status updates of an individual member to edu-ID. Whenever possible, it is recommended for an organization to use the push method. 

edu-ID pulls affiliations from organization

The organization provides a list of all its current affiliations via the attribute provider interface. The edu-ID attribute aggregator regularly polls the organization’s attribute provider for affiliation information and status updates of their members. The attribute aggregator currently polls for updates once per day.

Special case: attribute pull via SAML for non-migrated organizations

Users can create edu-ID identities and link them to the organizational AAI account before an organization as a whole integrates edu-ID. Affiliations of these users are updated on a daily basis via SAML attribute queries on the organizational aai IdP.

Comparison

Method Pros Cons
Organization pushes attributes
  • attribute changes at the organization take immediate effect at edu-ID
  • efficient protocol in terms of required bandwidth and processing power
  • requires centralized IdM processes at organization for user account creation, update, deletion and temporary blocking
edu-ID pulls attributes
  • easier to implement for organizations without centralized IdM processes.
  • attribute changes athe the organization may take up to 24h to be reflected in the edu-ID
  • method does not scale well for large organizations

IdM processes and update methods

The affiliation update are designed to cover the following identity management processes:

  • Onboarding: Create a new affiliation for a user who already has an edu-ID identity.
  • Offboarding: A user leaves the organization. Archive the current affilition and add it to the list of former affiliations.
  • Attribute updates: Some attributes of a user were changed at the organization. Update the current affiliation accordingly.
  • user blocking/unblocking: The organization temporarily disables a user's current affiliation.

 

IdM Process
Supported Protocols
Organization → edu-ID push
Supported Protocols
edu-ID ← Organization pull
Onboarding SCIM API: POST request AP-API: a member appears in list of affiliations
Attribute updates SCIM API: PUT request AP-API: attbutes have changed in list of affiliations
Offboarding SCIM API: DELETE request AP-API: a member diappears from list of affiliations
Blocking / unblocking PUT: set swissEduIDAffiliationStatus to current or suspended an affiliation is manually (un)blocked in the org-admin interface

 Protocol descriptions:

  • SCIM (Affiliation) API: a REST-API based on the SCIM specification to update affiliations, provided by edu-ID
  • AP-API: the organization provides access to user attributes via a simple http-based Attribute Provider API.
  • org-admin interface: a web application where an organization can manage current affiliations.

In addition to the AP-API, the edu-ID service also provides a SAML interface in the pull-mode. In this case, the organization provides a SAML-IdP that responds to attribute requests. This interface is available on request for special purposes.