Revision as of 17:01, 21 March 2008 by Mlinden@csc.fi (Talk | contribs)
Jump to: navigation, search





Operational since August 2005

# of IdPs

52 - list , map of home institutions

Enabled end users

370'000 (98% of all persons in Swiss higher education)

# of SPs

744 - list of public resources

# of logins

~17.8 Mio. during the last 12 months (i.e. 1 every 1.8 seconds or 34 per minute). The numbers are based on authentication request log entries on the central DS/WAYF

--thomas.lenggenhager@switch.ch 13:44, 15 March 2013 (UTC)


Current service categories
  • Center of competence
  • deployment guides and know-how transfer
  • dedicated test infrastructure (federation and CA)
  • Central Discovery/WAYF server (optional to use). Also used to provided the embedded version of DS/WAYF
  • Build and support Tools
  • Strategy and marketing
Prominent services
  • Virtual Home Organization (VHO)
  • Resource Registry
  • Individual support (also on-site if required)
  • Regular community events
  • Identity Provider Hosting Service (optional service, fee based)
  • Guest Login - It is not part of the federation, but optionally configurable for all SPs in the federation that are happy to accept identities from the self-service Guest Login IdP which only verifies the email address on registration.

--Thomas.lenggenhager@switch.ch 13:50, 15 March 2013 (UTC)


Current development
Who drives the
federation development
  • Federation operator (SWITCH)
  • IT services of universities

--Thomas.lenggenhager@switch.ch 13:52, 15 March 2013 (UTC)


Productional interfederations
  • Interfederation with eduGAIN. Adoption just started, see the Interfederation documentation
  • A few e-learning SPs bilaterally configured a couple of foreign IdPs
Interfederation projects SWITCHaai participates in eduGAIN.
Interfederation drivers
  • e-learning courses adopted by lecturers in other countries.
  • GÉANT projects starting to use eduGAIN

Up to now little demand.

--Thomas.lenggenhager@switch.ch 13:56, 15 March 2013 (UTC)



Part of the regular budget of SWITCH

  • AAI is currently bundled in the basic service fees
  • Federal subsidies for AAA projects 2008-2013
Pricing for external SPs

None at the moment


Salaries, equipment and housing


~4.5 FTEs in 2012

Services oursourced
by the operator


--Thomas Lenggenhager 18. April 2012






Contact person

Thomas Lenggenhager <aai@switch.ch>

--Thomas Lenggenhager 12. April 2012



Contractual structure
  • SWITCHaai is a service provided by SWITCH to the SWITCHaai Participants.
  • SWITCH Community For organizations which belong to the SWITCH Community, the legal basis are the 'SWITCHaai Service Description' together with the 'Service Regulations for Services by SWITCH' to which they are bound.
  • Federation Partners sign a SWITCHaai Federation Partner agreement with SWITCH.
Organizational structure

The SWITCHaai Advisory Committee meets once or twice a year to discuss more strategic matters. The SWITCHaai Community Group gets consulted on more operational matters.

--Thomas Lenggenhager 18. April 2012


Sectors covered

Swiss higher education & research

  • SWITCH Community
    Organizations from the SWITCH Community introduce IdPs and SPs into the federation
  • SWITCHaai Federation Partners
    They introduce only SPs into the federation.
    Selected Federation Partners are entitled to also introduce IdPs into the Federation.
End users

Users affiliated with organizations from the SWITCH Community and the selected Federation Partners entitled to operate an IdP.

Ability to interfederate

Organizations from the SWITCH Community have to opt-in to participate in interfederation.

--Thomas Lenggenhager 18. April 2012


Operator of the federation


Responsibilities of the operator

see SWITCHaai Service Description

--Thomas Lenggenhager 18. April 2012


Personal accounts

No explicit requirement for accounts to be personal. However, data privacy law requires that personal data has to be correct and up-to-date.
It would be in contradiction if an account is shared by multiple persons and the attributes for this account would indicate a single person.

Initial authentication

Best current practice. Established processes to provision accounts for staff and students.

On-line authentication

Best current practice, according to established local rules.

Attribute quality

Established processes to guarantee up-to-date data, according to general data protection principles.


--Thomas Lenggenhager 15. November 2012


Purpose of processing personal data

See 9.6 of the SWITCHaai Service Description

Relevance of attributes
  • Within the Resource Registry, the SP admin configures the attribute requirements for the resource.
  • The Resource Registration Authority of the correspronding SWITCHaai Participant reviews and approves it.
  • Admins using Shibboleth 2.x IdP can influence the default attribute release through the Resource Registry and retrieve the customized attribute filter file automatically from the Resource Registry.
User consent

SWITCH provides uApprove as a method to implement user consent at the IdP.

Informed consent

SWITCH provides uApprove as a method to implement informed consent.

Attribute release to 3rd countries

According to the Swiss federal data protection regulation.

--Thomas Lenggenhager 18. April 2012


Between the operator
and participants

As defined in paragraph 9.5 of the SWITCHaai Service Description and paragraph 7 of Service Regulation for services by SWITCH.

Between participants

As defined in paragraph 9.5 of the SWITCHaai Service Description and paragraph 7 of Service Regulation for services by SWITCH.

--Thomas Lenggenhager 17:12, 21 March 2008 (CET)


Log files

IdPs and SPs keep log files which allow to track back the identity of the person autenticating at the IdP.

Investigation of abuse

For investigation of abuse, the SP provides relevant info from itsl logs to the IdP.

--Thomas Lenggenhager 18. April 2012



OpenID relations

See the statement on Digital Identities, SWITCHaai and OpenID


04/2012: All IdPs use Shibboleth 2.x and 98% of SPs support SAML2, most of them using Shibboleth 2.x


Metadata web page

--Thomas.lenggenhager@switch.ch 14:00, 15 March 2013 (UTC)


Name and version of the schema swissEduPerson
Schemas adopted person, orgPerson, inetOrgPerson, eduPerson
Use of other attributes On bilateral basis, IdPs and SPs may agree on any attributes they like.
Mandatory attributes

The SWITCHaai Attribute Specification linked above has the concept of attribute implementation status, which every IdP in the federation must populate for each end user. The core attributes are:

  • swissEduPersonUniqueID
  • eduPersonTargetedID
  • sn
  • givenName
  • mail
  • swissEduPersonHomeOrganization
  • swissEduPersonHomeOrganizationType
  • eduPersonAffiliation
The major unique identifier

Currently, swissEduPersonUniqueID is the predominant unique ID. The intention is to start using eduPersonTargetedID as attribute alongside the SAML2 persistent NameID once all IdPs are using Shibboleth 2.

swissEduPersonUniqueID reassignment policy

swissEduPersonUniqueID MUST NOT be reassigned

Preferred syntax for ePTID/PersistentID on SAML2

For inter-operability reasons both in parallel: SAML2 persistent NameID in the subject element as well as ePTID attribute value in the attribute statement

--Thomas Lenggenhager 09. Feb 2011


CAs accepted

Browser-facing services can use any certificate. Federation security is based on certificates published in the signed metadata file, no validation based on CAs.

All the details: certificate acceptance web page

--Thomas Lenggenhager 18. April 2012



not yet available



--Thomas Lenggenhager 17. November 2012


Tools used in the operations of the federation
  • Virtual Home Organization (VHO) enables certain users access via Shibboleth to a single resource, even they have no account at a federation member.
  • The Resource Registry to decentralize the maintenance of the federation metadata. It is the sourcce for the federation metadata file and it provides IdPs with pre-configred arp.site.xml files.
  • SWITCH-DS/WAYF, a SAML Discovery Service written in PHP. It also supports an easy embedding of the Discovery Service into Service Providers.
  • Guest Login Identity Provider. The Guest Login service allows users to create an account with self-registration. In contrast to the Virtual Home Organization where a VHO group administrator creates and manages the accounts. Any user with a valid email address can create and manage his own account. However, this account can only be used to access a very limited number of services in the SWITCHaai Federation. These services must explicitly allow guest users by means of configuration. Therefore, the Guest Login Identity Provider is not part of any federation.
Tools used by IdPs and SPs
  • uApprove, a plug-in for Shibboleth 2 IdPs, to ask the users for consent before releasing the attributes to a Service Provider. uApprove can also request acceptance of a 'Terms of use' statement. This tool was formerly named ArpViewer.
  • Group Management Tool (GMT) allowing a resource administrator to easily configure the access to his resource on an individual basis.

--Thomas.lenggenhager@switch.ch 14:06, 15 March 2013 (UTC)}

Personal tools