SAML Proxy Service

To integrate SPs with special requirements into the SWITCHaai federation, SWITCH can set up a proxy service.

The proxy service is able to translate the authentication and authorization protocol between the SWITCH edu-ID IdP and the service provider. It acts as an SP towards the SWITCH edu-ID IdP, and as IdP towards the service provider.

proxy-overview

Possible applications of the proxy service are:

  • Providing attributes which are required by the service provider, that are not directly supported by the SWITCHaai federation.

Proxy Authentication Flow

proxy-flow

  1. The user attempts to access a service
  2. The service places an authentication request at the proxy
  3. The proxy rewrites the authentication request which is SWITCHaai federation compliant
  4. The edu-ID IdP requests the user to log in
  5. The user authenticates
  6. The edu-ID IdP sends an assertion to the proxy
  7. The proxy rewrites the assertion in a format the service is able to process.

Note that the above flow is completely transparent for a user.

Responsibilities

The proxy service is operated by SWITCH.

The organization having a contract with the service provider is responsible for the technical contact.

Costs for operating a proxy can be charged to an organization.