On-/Offboarding of Users
This page describes how an organisation that has decided to adopt SWITCH edu-ID can onboard and offboard users, e.g. register new staff members or enroll new students at the organisation.
There are different options how to onboard and offboard users with an edu-ID.
Onboardin options can also be combined (e.g., for different groups of users as staff and students). (see also https://projects.switch.ch/eduid/adoption/link-new-members/).
Onboarding includes that an organisation creates a New Affiliation for a user.
User creates an edu-ID account first and then registers as staff member or enrols as students at organisation, which then sets the affiliation.
When the organisation creates a user's local organisational account the user links it to the edu-ID account.
User links the local organisational account to the edu-ID account (days, weeks, months) after the admission at the organisation. The user has a federated identity with affiliation only after having linked the local and the edu-ID identity.
The offboarding process is entirely independent on the chosen onboarding process!
See also the page about how to manage affiliations.
There are ways to undo the offboarding for a user / a set of users (without leaving a former affiliation behind).
The attribute aggregator regularly polls an organizations' attribute provider. If a user with a current affiliation does not exist in the attribute provider anymore, he/she should be offboarded.
Robust implementation is an issue:
- make sure, the attribute provider (IdP, LDAP/AD, persistentID-DB) is running and responds correctly
- correctly interpret attribute query response of the attribute provider for a former organisation member
---> approach: the attribute aggregator stores the last two attribute query responses for each user. If three consequtive query responses tell that a user does not exist in the organisation (anymore), then the user is offboarded, and the current affiliation is moved to a former affiliation. Assuming one complete attribute query run per day, the max. delay for an offboarded affiliation is three days.
Question for organisation: How immediately is a users' dismissal propagated to the attribute provider?
An organisation sends explicit offboarding messages to the edu-ID service via an API (similar to the onboarding message API Creation of a New Affiliation).
The users' affiliation is immediately removed and transformed into a former affiliation.