Swiss edu-ID versus SWITCHaai

This comparision is mainly addressed to people with technical background and knowledge about identity management in general and AAI in particular.

Swiss edu-ID is connected to a paradigm shift from a role-based to a persistent identity model.
A long-living digital identity needs to be maintained to deploy its advantages. Therefore a user will have on the one hand more influence on his/her identity data (attributes) but on the other hand also more responsibility to provide correct and up-to-date information in the long run.
The authentication function will be delegated to the central Swiss edu-ID Identity Provider (IdP), delivering attributes to the local resources/services. Universities will become Attribute Authorities (AAs) as authoritative sources of identity information (attributes) about the user's role and status at the university instead of delivering the whole identity as Identity Providers (IdPs). This allows attribute aggregation for users with several affiliations and a user to keep his/her identity beyond the lifetime of the institutional membership.

  SWITCHaai Swiss edu-ID
Identity Framework Role-based, organisation-centred, “stand-alone” federated identity Persistent, user-centric, “linked” federated identity
Identity Management Identity created and managed by (home) organisation Identity created and owned by user
(self-registration, core attributes);
enriched by organisations
(additional attributes, validation)
Identity Lifetime
Identity limited to period of organisational membership Persistent identity (with regular validation)
Number of Identities per individual
One identity per organisational membership of an individual One unique identity per individual
Users Members of Swiss academia Members of Swiss academia and
people with relation to academic institutions (like library users, continuing education participants, alumni or guests)
User Consent When user accesses a resource for the first time and for whole attribute set requested by a resource At least when user accesses a resource for the first time;
ev. for subsets of attributes
Role of Organisations Identity Provider (incl. Attribute Provider);
Service Provider
Attribute Provider;
Service Provider
Responsibility for identity data Organisations Individual & organisations
Identity Provider(s) (IdP) One Identity Provider per institution One central Identity Provider (SWITCH), aggregation of attributes
Attribute Providers (AP) AP is part of a local Identity Provider;
Attributes provided by the local Identity Provider/AP;
Identity Provider/AP located at organisation - primarily Higher Education Institutions
Local APs (instead of local Identity Providers);
attributes may come from different APs and are aggregated by Swiss edu-ID IdP;
AA located at organisation - primarily Higher Education Institutions (may be extended to additional APs in the future)
Service Providers (SPs) SWITCH Commmunity and Federation Partners Federation members and partners
Attribute Storage Local Identity Provider (SWITCHaai core attributes and others as well as local attributes) Central Identity Provider stores Swiss edu-ID core attributes and Attribute Providers store additional and local attributes of their members and related individuals.
Attribute Management, Control & Validation by one (home) organisation by user (core attributes), central Identity Provider and (several) organisations
Supported Resources (protocols) Access via Web browser (SAML) Access via Web browser, support for Web and cloud Services, and mobile applications (SAML, support for additional protocols, e.g. OAuth 2 or OpenID connect)
Agreements Federation Partner Agreement & service regulations Federation Partner Agreement & service regulations,
terms of use (for users)