An edu-ID identity always consists of the personal part of the identity, which is managed and controlled by the user.
If a user is member of a university, the university adds an affiliation. If the person is also member of another university or organization, more affiliations can be added. The person may end up with the example below, were she has two affiliations from two universities in addition to the personal part of the identity.
Example of an identity with two currrent affiliations.
Most services only support the classic edu-ID attribute model. Such services can only interpret one affiliation at a time. If a user who wants to access a classic service has more than one current affiliation, the affiliation chooser is automatically activated.
The affiliation chooser presents the a choice of affiliations the service is compatible with. The choice of affiliations may also include the personal part of the edu-ID identity which can be interpreted by a service like a common classic affiliation.
After the user has chosen an affilation (ZHAW in the example above), the IdP generates the related attribute assertion and sends it to the service.
Example of the affilation chooser user interface with two current affiliations.
In many cases a user will not see the affiliation chooser. The IdP collects as much contextual information as possible to make the correct affiliation choice on behalf of the user, or to reduce the number of options to choose from. The following hints are used by the IdP:
- The user's choice of an organization in the discovery service
- The SP configuration "intended audience"
The affiliation chooser is shown after authentication if all following conditions apply:
- Organisation of user has adopted edu-ID. Only then users can log in on edu-ID using organisation identity.
- More than one identity could be used to access service, E.g. private identity and ZHAW identity
- User chose “SWITCH edu-ID” on Discovery Service/WAYF. If an organisation (e.g. ZHAW) is choosen, affiliation chooser will be skipped unless user has multiple ZHAW identities
Affiliation Chooser Example Scenarios
SP requires an organizational affiliation (most typical case)
In this most typical case the user has one organizational affiliation. The service is configured to require organizational affiliations (members only configuration). In this case, the affiliation chooser is not displayed because the private part of the identity is not eligible to access the service.
SP requires one affiliation - User has 2 affiliations
In this case the user has more than one organizational affiliation. The service is configured to require organizational affiliations (members only configuration). The user chooses the affiliation to be used for the service.
All users can access the SP
In this case the service is configured to accept private users without affiliation as well as those with organizational affiliations (all users configuration). In this case, the user chooses the affiliation to be used for the service - either a current affiliation or the private part of the identity.
SP requires one affiliation - user has no affiliation
The service is configured to require organizational affiliations (members only configuration) but the user has no affiliation. An error message is displayed and the user can't proceed to the service.
SP requires a simple, private edu-ID identity
Here service is configured to get the personal part of the identity (classic edu-ID only configuration). No matter how many affiliations the user has, the affiliation chooser is never displayed.
The SP supports the extended attribute model
In this case the SP supports the extended attribute model. Such a service is able to interpret and process the personal part of edu-ID identities and 0, 1 or more current affiliations (extended model configuration). For extended model services, the affiliation chooser is never displayed.