Swiss edu-ID versus SWITCHaai
This comparision is mainly addressed to people with technical background and knowledge about identity management in general and AAI in particular.
Swiss edu-ID is connected to a paradigm shift from a role-based to a persistent identity model.
A long-living digital identity needs to be maintained to deploy its advantages. Therefore a user will have on the one hand more influence on his/her identity data (attributes) but on the other hand also more responsibility to provide correct and up-to-date information in the long run.
The authentication function will be delegated to the central Swiss edu-ID Identity Provider (IdP), delivering attributes to the local resources/services. Universities will become Attribute Authorities (AAs) as authoritative sources of identity information (attributes) about the user's role and status at the university instead of delivering the whole identity as Identity Providers (IdPs). This allows attribute aggregation for users with several affiliations and a user to keep his/her identity beyond the lifetime of the institutional membership.
|Identity Framework||Role-based, organisation-centred, “stand-alone” federated identity||Persistent, user-centric, “linked” federated identity|
|Identity Management||Identity created and managed by (home) organisation||Identity created and owned by user
(self-registration, core attributes);
enriched by organisations
(additional attributes, validation)
||Identity limited to period of organisational membership||Persistent identity (with regular validation)|
|Number of Identities per individual
||One identity per organisational membership of an individual||One unique identity per individual|
|Users||Members of Swiss academia||Members of Swiss academia and
people with relation to academic institutions (like library users, continuing education participants, alumni or guests)
|User Consent||When user accesses a resource for the first time and for whole attribute set requested by a resource||At least when user accesses a resource for the first time;
ev. for subsets of attributes
|Role of Organisations||Identity Provider (incl. Attribute Provider);
|Responsibility for identity data||Organisations||Individual & organisations|
|Identity Provider(s) (IdP)||One Identity Provider per institution||One central Identity Provider (SWITCH), aggregation of attributes|
|Attribute Providers (AP)||AP is part of a local Identity Provider;
Attributes provided by the local Identity Provider/AP;
Identity Provider/AP located at organisation - primarily Higher Education Institutions
|Local APs (instead of local Identity Providers);
attributes may come from different APs and are aggregated by Swiss edu-ID IdP;
AA located at organisation - primarily Higher Education Institutions (may be extended to additional APs in the future)
|Service Providers (SPs)||SWITCH Commmunity and Federation Partners||Federation members and partners|
|Attribute Storage||Local Identity Provider (SWITCHaai core attributes and others as well as local attributes)||Central Identity Provider stores Swiss edu-ID core attributes and Attribute Providers store additional and local attributes of their members and related individuals.|
|Attribute Management, Control & Validation||by one (home) organisation||by user (core attributes), central Identity Provider and (several) organisations|
|Supported Resources (protocols)||Access via Web browser (SAML)||Access via Web browser, support for Web and cloud Services, and mobile applications (SAML, support for additional protocols, e.g. OAuth 2 or OpenID connect)|
|Agreements||Federation Partner Agreement & service regulations||Federation Partner Agreement & service regulations,