The section linking methods describes various approaches how to establish a link between a user's local organizational identity and her edu-ID identity. The result of this linking process is that the organization "knows" the edu-ID identifier of each of their members. However, the link has to be bidirectional. The edu-ID service also has to "know" about a user who becomes member of an organization. This is done by adding the affiliation (identified by the organizational unique identifier) to a user's edu-ID identity.
When a user accesses a service provider, the edu-ID IdP must be able to deliver up-to-date organizational attribute information for that user. Therefore an organization synchronizes the complete set of orgnizational attributes to edu-ID via the push or pull method.
Updating the Affiliation Status of Organization Members
The edu-ID service supports the Push Method via SCIM API to synchronize the affiliations of current members affiliations database at edu-ID. Alternatively a Pull Method is avialable too. But for efficiency and stability reasons the push method ist strongly preferred.
An organisation instantly sends attribute changes and status updates of an individual member to edu-ID. Whenever possible, it is recommended for an organization to use the push method.
The organization provides a list of all its current affiliations via the attribute provider interface. The edu-ID attribute aggregator regularly polls the organization’s attribute provider for affiliation information and status updates of their members. The attribute aggregator currently polls for updates once per day. Note that the Push method is preferred for efficiency and stability reasons.
Pull with hosted Attribute Provider
This method is currently under development - release is planned for summer 2022.
The organization provides a list of all its members by allowing read-only access to its directory. An affiliation is created immediately when a user adds an organizational email address to her edu-ID. The Attribute Provider hosted by SWITCH. It regularly polls the organization’s directory and updates or deletes affiliations accordingly. The attribute aggregator currently polls for updates once per day.
Special Case: Attribute Pull via SAML for non-migrated Organizations
Users can create edu-ID identities and link them to the organizational AAI account before an organization as a whole integrates edu-ID. Affiliations of these users are updated on a daily basis via SAML attribute queries on the organizational AAI IdP.
|Organization pushes attributes||
|edu-ID pulls attributes||
Typically, an organization decides to implement either push or pull. In some cases, an organization may want to combine the advantages of the two methods. It is possible - and sometimes preferable - to implement the push method to create an affiliation, whereas the affiliation update and deletion take place via pull using the AP-API.
The affiliation update are designed to cover the following identity management processes:
Organization → edu-ID push
edu-ID ← Organization pull
|Onboarding||SCIM API: POST request||AP-API: a member appears in list of affiliations|
|Attribute updates||SCIM API: PUT request||AP-API: attbutes have changed in list of affiliations|
|Offboarding||SCIM API: DELETE request||AP-API: a member diappears from list of affiliations|
|Blocking / unblocking||PUT: set swissEduIDAffiliationStatus to current or suspended||an affiliation is manually (un)blocked in the administration portal|
- SCIM (Affiliation) API: a REST-API based on the SCIM specification to update affiliations, provided by edu-ID
- AP-API: the organization provides access to user attributes via a simple http-based Attribute Provider API.
- adminisration portal: a web application where an organization can manage current affiliations.
In addition to the AP-API, the edu-ID service also provides a SAML interface in the pull-mode. In this case, the organization provides a SAML-IdP that responds to attribute requests. This interface is available on request for special purposes.