Service Registration

First, check the getting started page to make sure that you want to register an OIDC client and that you are entitled to do so.

Registering a relying party (a service) requires the following steps:

  • Go to the AAI Resource Registry on https://rr.aai.switch.ch/. When asked to select an organisation to log in with, choose your organisation if available or choose "SWITCH edu-ID" otherwise.
  • Authenticate at the selected organisation.
    In case you chose "SWITCH edu-ID" and you don't yet have an edu-ID account, please create an account by clicking on "Create account" on the login page.

    Note: On the first login, the Resource Registry will ask you to agree that the shown data will be stored in the Resource Registry and potentially published on the SWITCH web pages that list all OpenID Connect services.

  • When logged into the AAI Resource Registry, click on "Resources" in the blue bar, then on "Add a Resource Description" and select "OpenID Connect resource". Note the following remarks, when filling out the form:

    1. Basic Resource Information:
      • Grant Types: If your (public) client needs the offline scope, choose as Grant Types the entry containing "Refresh Token (Offline Access)".
      • Approving Organisation: To register an OIDC relying party for SWITCH edu-ID Test (test infrastructure) choose as "Approving Organisation" the entry "SWITCH edu-ID [Test]". For production OIDC relying parties choose the organisation from the list if it is there or choose the entry "SWITCH edu-ID" as default.
    2. Certificates and Credentials:
      • For public clients like mobile apps, desktop applications and Single-page Apps, do only use No credentials.
      • Public clients MUST also use PKCE.
      • Detailed information about Client Credentials and their format can be found on the page client credentials.
    3. Requested Attributes and Claims:
      • Only choose those claims and attributes that your service needs. For authenticating a user, your service only needs to request the openid scope.
      • You can request other scopes but in the end only those attributes/claims are sent to your relying party that you listed as requested attributes in the AAI Resource Registry. The requested claims are then served from the userinfo endpoint.
      • An RP may enforce 2-step login (2FA) by requesting the acr claim with the essential value "https://refeds.org/profile/mfa". See example
    4. Service Locations
      • Specify the redirect URI: https://yourdomain.ch/redirect_uri

  • When all sections of the Resource Description are finished, click on "Submit for approval". You then will see on the next page which persons will review and approve your registration.