Processes to Link New Organizational Members to edu-ID 

An Organisation that has adopted SWITCH edu-ID has to make sure that each new member (like student, staff, further education student) will have an edu-ID identity that it is linked to the local, organisational identity. 

A link between a local, organizational identity and an edu-ID identity is established if

  • the organization can associate a local identity to an edu-ID identity (via its edu-ID identifier), and
  • edu-ID can associate an edu-ID identity to an organisation (via its organizational unique identifier)

The most common linking processes are

Linking at Registration (Leading IdM System)

This scenario may be applied to organisations who have a centralised, leading IdM system. All new members of the organisation first have to go through a member registration process. This process is extended with a edu-ID linking step. The applicant is required to register at the organization with his/her edu-ID identity. If the applicant does not have an edu-ID identity, he/she creates one on the fly.

As a result, the organisation recieves the applicants registration data along with the edu-ID identifier. If the applicant is not admitted, all registration data is discarded. If the applicant is admitted, edu-ID is notified about the creation of an affiliation when the organisational identity is activated.

Save

Save

Linking at Registration (Meta Directory)

This approach is similar to the 'linking at registration' approach with a leading IdM system. The difference is, that the organisation has multiple registration processes, usually one for each user group. Consequently, the edu-ID linking step has to be added to each registration process.

Linking at Admission

In this approach, the processes to register new organisation members remain untouched. Linking with an edu-ID identity takes place at the moment, when the organisational identity is created and activated.

  1. The new organization member is invited (i.e. by email) to create and link his/her edu-ID identity.
  2. The member navigates to an indentity linking service with an organisational one-time-token or session key. The linking service may be operated by the organization or by SWITCH.
  3. The identity linking service associates the edu-ID identitfier to the local, organisational identity (via one-time-token or session key).
  4. After sucessful linking, the organisational account is activated.

Linking after Admission

This approach is similar to "linking at admission". The only difference is that linking the local, organisational identity to edu-ID is not mandatory (on demand).

  • The new organization member is invited (i.e. by email) to create and link his/her edu-ID identity.
  • The member navigates to an indentity linking service with an organisational one-time-token or session key.
  • The identity linking service associates the edu-ID identitfier to the local, organisational identity (via one-time-token or session key).

Comparison

Approach Advantages
Linking at registration
  • all new organisation members have a linked edu-ID
  • edu-ID attributes can be used for registration and admission
Linking at admission
  • all new organisation members have a linked edu-ID
  • existing registration processes need not be adapted
Linking after admission
(on demand)
  • only organisation members who need it have a linked edu-ID
   

Save

Save

Save

Save

Save

Save

Note that the linking approaches can be mixed. It is for example possible to link students at-registration while staff members are linked after-admission.