On 1 February 2019, members of the University of Lucerne began using their lifetime SWITCH edu-IDs to access all federated services in the academic community. Marco Antonini, Head of IT at the University of Lucerne, planned the SWITCH edu-ID migration and completed the rollout together with his team. We put various questions to him as part of a debriefing. Here are some of his answers:
Marco Antonini: Because we already had a centralised user administration system, we were already well prepared for the migration to SWITCH edu-ID. In fact, the migration was a classic IT project. In reality, however, things went somewhat differently, because it required more intense communication on our part. Typically, of course, the completion date had to be pushed back: we had picked 31 December 2018 because it gave us a good timeframe. The deadline for the transition at the end of 2018 became a bit tight due to the problems with the duplicate swissEduPersonUniqueID values. But we picked an alternative deadline and were able to transition to the SWITCH edu-ID IdP on 1 February. It was an exciting and instructive project for us, and we pulled it off successfully.
Marco Antonini: Without a doubt, communication. Our campaign succeeded in getting a good half of all users to set up and link an account by the time of the migration, but we were expecting more to do so. We initially notified the members of the university via the university’s website and two newsletters, followed by several direct emails. But even after mentioning it to people directly several times, many still did not take action, which was similar to what we've experienced in the past, unfortunately.
Getting users to complete tasks ahead of a migration isn’t easy. You have to explain why the SWITCH edu-ID needs to be set up and linked with the university account early, even though it cannot be used actively yet. It’s also necessary to tell people which account they need to use post-migration. Once the migration was complete, all of that was much clearer.
Marco Antonini: When they need or, even better, want to complete a specific task – for example, registering for courses or checking their exam results. If they can only register with a SWITCH edu-ID, users will be much more motivated to set up an account and link it with the university. Specific services could therefore be used as a way to encourage people to link their local account with the SWITCH edu-ID.
Marco Antonini: Yes. We discovered duplicate swissEduPersonUniqueIDs, for example. But we were able to solve this problem in cooperation with the relevant services and organisations, such as OLAT at UZH.
During development, our external partners had only included the mandatory attributes from the specification, so not all of the attributes we use were updated via the API at first. Even that wasn’t such a big deal once we had identified the cause.
Certain students were no longer able to log into the university portal after the migration. These were mainly people with multiple roles (affiliations). Because we had only carried out our testing with single roles, we didn’t notice this before. The problem had already been sorted by the afternoon of the day of the migration.
Marco Antonini: On the first weekend after the migration – which happened on a Friday – we had quite a lot of queries. Around 10% of our 4,000 users contacted our support service – of course, these were mainly people who had not reacted to our previous emails. Most of the enquiries related to the brief delay after linking their login with the services before it would work properly, or because these people had not yet completed the linking process. But we did not want to interfere with the system, so we dealt with these enquires. We used TeamViewer, for example, to help people quickly and efficiently.
After the ‘peak’ phase, we contacted people who still had not completed the switch, in order to pre-empt known problems or questions. At first, we asked new employees to use the linking service to create an edu-ID. In practice, however, we found that it worked better if they created an edu-ID first and then used the linking service to connect it with their local account.
Many users don’t read the information we provide, but then don't want to wait for a solution when there are problems. You always have to keep that in the back of your mind. For this reason, your process has to include explanations as to why and how something should be done.Marco Antonini, Head of IT, University of Lucerne
Marco Antonini: For us, the technical requirements in the resource registry were unclear – for example, when we needed to configure the correct settings for online registration and set the correct attributes. SWITCH had to help us out with this. More information on navigating the resource registry would have probably allowed us to figure this out on our own.
There was also some confusion and questions regarding how certain things actually work in detail – for example, you can only test to a limited extent how the login for different user groups on various services will look after the migration, which attributes are passed to the services, etc. More detailed documentation certainly would have been helpful here.
But the collaboration with SWITCH went well, and the people we were in touch with on the developer team were always able to answer our questions quickly.
Marco Antonini: At present, there are still around 600 university members who do not have a linked edu-ID account. These people will gradually come on board, I imagine. Certain individuals may even be able to manage with just a local account. Clearly, however, they will get an edu-ID as soon as eduroam has been integrated via SWITCH edu-ID.
We have other plans for using the SWITCH edu-ID: we have our eye on other user groups, such as course auditors, continuing education students and alumni, who should also be able to access our services with the SWITCH edu-ID in the future. Ideally, webmail should also be accessible with the edu-ID. Two-step login with Google Authenticator is another interesting possibility.
Marco Antonini: Always make sure to plan in enough time and include two suitable timeframes to deal with any potential problems. Slow periods are rare. These need to be identified and thoroughly discussed internally. Friday proved to be a good day for the migration. Some people got organised over the weekend and helped each other out by sharing information. And definitely bear in mind that you may need to take action or communicate accordingly in the case of services that only load metadata once a day, for example.
Identity management is and will remain a major challenge for universities. The edu-ID project has allowed the University of Lucerne to make considerable progress towards automation and modernisation – thanks to proactive support from SWITCH and funding from swissuniversities.
Further information on the migration to the SWITCH edu-ID can be found in the Identity Blog: