Extended Attribute Model

With the classic attribute model a service can get one part of an edu-ID identity at a time. There may be cases where a service requires attributes from multiple home organizations simultaneously. In such cases, a service can be configured for the edu-ID only extended attribute model.

In the extended attribute model a service can potentially get a SAML assertion for attributes in the bold red boxes in the diagram below:

  • attributes from the personal part of the identity
  • some attributes from linked current affiliations:
    • the list of organizational unique-IDs (swissEduIDLinkedAffiliationUniqueID)
    • the list of organizational email addresses (swissEduIDLinkedAffiliationMail)
    • the list of organizational scoped-affiliations (swissEduIDLinkedAffiliation)
  • group membership information

Getting more attributes via backchannel

If a service needs access to more attributes from current affilations (the red dashed boxes in the diagram), the procedure is as follows:

  • from the list of organizational unique-IDs (swissEduIDLinkedAffiliationUniqueID) the service extracts the individual unique-IDs
  • for each organizational unique-ID the service requests the attributes of the associated current affiliation by issuing a GET request on the affiliation API

Currently, accessing the attributes in former affiliations is not supported.

Usage policy for services with extended attribute model

Backchannel attribute requests may take place out-of-band without user interaction, and the IdP can't ask for a user's consent before sending attributes to the service.
Such services are therefore obliged to request and obtain the consent of the end user about the recurring transfer of their data from the SWITCH edu-ID IdP (e.g. in their own terms of use).
The SP operators are obliged to inform the end user that they will query or update their data without the end user being online or involved.
SWITCH grants access to an API for such a purpose only when the service meets these requirement (according to the Service Description).