Getting Started: Setting up an edu-ID Service

1. Contractual Preparation

Before you integrate an application into the SWITCHaai federation, your organization must become a "federation partner basic" or "federation partner plus".
https://www.switch.ch/aai/join/partners/

2. Protocol Choice

SWITCH edu-ID is a service offering in the SWITCHaai federation. Currently edu-ID supports the SAML and the OpenID Connect (OIDC) protocol.

SAML	OpenID Connect (OIDC)
The instructions to set up a service for SAML can be found here: Setting up a SAML Service	OpenID Connect is a new edu-ID service. It's functionality is currently limited compared to SAML, but will be continuously extended in the future: Setting up an OIDC Service

SAML

OpenID Connect (OIDC)

The instructions to set up a service for SAML can be found here:

Setting up a SAML Service

OpenID Connect is a new edu-ID service. It's functionality is currently limited compared to SAML, but will be continuously extended in the future:

Setting up an OIDC Service

3. Attribute Model Choice

SWITCH edu-ID offers a very comprehensive data model in different variants.

	Description	SAML	OIDC
Classic Attribute Model	To access a service, a user chooses the home organization in the discovery service ("were are you from?"). The service receives an attribute assertion from the selected home organization. The assertion is compatible with traditional SWITCHaai assertions	configure intended audience without private identities	(not supported)
edu-ID only	To access a service, the user directly authenticates (without choosing a home organization). The service receives an attribute assertion of the user's private identity, independent of any organizational affiliation. Optionally, the service can determine organizational roles and email addresses by evaluating swissEduIDLinked* attributes	configure intended audience: private identity	require scopes profile, email, swissEduIDBase or swissEduIDExtended
Extended Attribute Model	Like edu-ID only. Additional organizational affiliation attributes are fetched via affiliation API.	Get additional attributes via affiliation API with read-only permissions.

4. Advanced Service Configuration

Options to enhance the service quality, usability or security

Check the edu-ID design guidelines
Require 2-Step Login (MFA)
Receive notifications when user accounts were updated