Classic Attribute Model

The classic attribute model of the SWITCH edu-ID has been designed to be compatible with services in the SWITCH aai federation that "know" nothing of edu-ID. These services can be accessed by users with edu-ID the same way as before with the organizational SWITCHaai account. The only difference from a user's perspective is that authentication takes place at the SWITCH edu-ID IdP instead of the organizational IdP.

With the classic attribute model, a service gets attribute information compliant to the SWITCHaai attribute specification. From the perspective of the service, it just gets an attribute assertion from one HomeOrg. In the diagram below, this would be an assertion from either HomeOrg UniA (A), or HomeOrg UniB (B) or HomeOrg eduid.ch (P). No configuration changes or other adaptations are necessary to support users with an edu-ID account.

Configuration Options

University Members Only

With the university members only configuration, a service only gets the assertion from one current affilation of a user. If a user has more than one affiliation, the SWITCH edu-ID affiliation chooser kicks in where the user picks the desired affiliation to access the service. Users without at least one current affiliation are denied access.

In the diagram above, the service would either get the attribute assertion A or B, depending on the user's choice in the discovery service or the affiliation chooser.

Note that the type of accepted home organizations can be further specified in the intended audience setting in the resource registry.

Edu-ID Only (classic model)

With the edu-ID only configuration, a service gets the assertion from the personal part of an edu-ID identity, regardless of any current affiliations.

In the diagram above, the service would only get the attribute assertion P.

Note that a service can request additional attributes (the red dashed box above) that are typically only supported by the edu-ID IdP like group membership, attribute quality statements or the ORCID identifier.

All Users Allowed

With the all users allowed configuration, a service gets the assertion from the personal part of an edu-ID identity or from the current affilation of a user. If a user has one or more affiliations, the SWITCH edu-ID affiliation chooser kicks in where the user picks the desired part of the identity to access the service.

In the diagram above, the service would either get the attribute assertion A, B or P.