Processes to link members in the adoption phase

An organisation that adops SWITCH edu-ID needs to provide mechanisms to link local identities of new members (staff, students etc.) to edu-ID identities. Existing members of an organisation usually are treated differently because they already have an local organizational account and in most cases they also have a SWITCHaai account.

In the scenarios below Day X denotes the flag day, when the edu-ID IdP takes over the organisational SWITCHaai IdP and henceforth the organisation members log-in with their edu-ID to access to services. After Day X, the organisation does not operate a Shibboleth IdP anymore.

The sections below describe different approaches to equip organisation members with an edu-ID that is linked to the local organisational account.

Link current members before day X

  1. Users are asked to go to their edu-ID account. If they don't already have an edu-ID, they should create an account first.
  2. using the aai account linking service users link their aai account to the edu-ID
  3. at Day X edu-ID sends a list of all aai-uniqueID with their associated edu-ID identifiers to the organisation
  4. the organisation imports the list and associates the edu-ID identifier of each member to the local user identities

Save

Save

Save

Save

Save

Save

Save

Save

Save

 

Remarks:

  • The organisation members are invited to become active and create and link their identities. Not all users may follow these instructions.
  • edu-ID can send an organisation a list of users who have an edu-ID organisational link. Based on that list, the organisation can determine which members don't have a linked account, and resend the account linking invitation.

 

Link current members after day X

  1. edu-ID sends the organisation a list of users who already have an edu-ID organisational link
  2. The organisation imports the list and associates the edu-ID identifier of each member to the local user identities
  3. All members who are not in the imported list will lose their federation account on Day X. They are invited to use a linking service where they can create an edu-ID and link it to the local organisational identity.

Remarks:

  • With this approach it is likely, that not all organisation members do have a linked edu-ID. Without federation account they will not have access to services in the federation.

Comparison

Approach Advantages
Link before Day X
  • all organisation members have a federation account after the adoption
  • users have created their edu-ID and are aware of it
  • low risk of creating duplicate edu-ID accounts
Link after Day X
  • only members who need a federation account have one
  • users have created their edu-ID and are aware of it
  • low risk of creating duplicate edu-ID accounts

Note that different linking approaches can be combined. For example, an organization could try to have as many members as possible create and link their edu-ID on their own (approach "link before Day X"). For all members who do not have a linked edu-ID on Day X, they create one later (approach "link after Day X").