Architecture and basic concepts

The SWITCH edu-ID implements an identity federation architecture with a central identity provider. The SWITCH edu-ID is specifically made for Swiss universities. An important design goal is to provide identities not only to students, staff and teachers but also to university guests, further education students, private library users, event participants and other non-typical users.

Identity and Affiliations

In traditional AAI a university member has one account per university membership. In edu-ID, a user manages her own private edu-ID account. When a user becomes member of a university, an affiliation is added to the edu-ID account. A user may have more than one current affiliations, or none at all. The personal part of an edu-ID account ist persistent, and remains under the control of its owner for the entire lifetime.

identity-schema

In the example above, the user has two current university affiliations which are associated to the personal part of the edu-ID identity.

Technical Setup

The SWITCH edu-ID user directory contains the user-managed attributes, and an affiliation index that indicates with which universities the user is currently affiliated with. When a new user is registered at a university, an organisational account is created and linked to the edu-ID. The organisational identity management (IdM) system notifies the edu-ID service, which updates the affiliation index. The notification and attribute exchange between organisation and edu-ID either uses the IdM Provisioning (or push interface), or the Attribute Provider (or pull interface). Likewise, the affiliation index and the affiliation archive are updated when a user leaves a university.

To access a service provider, a user authenticates at the central SWITCH edu-ID IdP. The attribute aggregator collects the user managed attributes and the attributes from all organisations where the user is currently affiliated with. The attributes are then filtered and reduced to the needs of the service and the set of permitted attributes as defined by the university. Finally, with the user’s consent, the attributes are delivered to the service.

A user who has left a university and who has no further current affiliation with another university keeps the personal, user managed part of a SWITCH edu-ID identity. Although many services will require users with a current affiliation with a university, an increasing number of services will be open to people who are neither student nor university staff.

Federation Architecture: Hybrid

According to the federation architecture definitions edu-ID implements a hybrid architecture.

hybrid-architecture

SWITCH edu-ID is a full-mesh architecture

  • from the point of view of services in classic mode, since the edu-ID idp presents itself to them as an IdP of the organization that was chosen by the user in the discovery service.
  • towards interfederation. Each organisation hosted on edu-ID is reflected as individual IdP in the interfederation.

SWITCH edu-ID is a hub-and-spoke architecture

  • from the point of view of services in extended mode, since they get attribute assertions from a single IdP.
  • for users, because in any case they only see the same edu-ID login window.
  • for organizations who synchronize affiliation data to one central edu-ID service.