University of Zurich

SWITCH edu-ID / UZH Identity (SAML & OpenID Connect)

UZH uses SWITCH edu-ID as its central identity, which is mandatory for SWITCHaai (Shibboleth/SAML) protected services and also supports modern OpenID Connect / OAuth 2.0 flows. The UZH edu-ID linking service offers an OAuth 2.0 login. This is federated identity infrastructure used to protect UZH services rather than a generally available public API.

GitHub OpenAPI

Documentation

📖
Documentation
https://www.zi.uzh.ch/en/support/identity-access/eduid-faq.html

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/openapi/university-of-zurich-eduid-oidc.yaml

Other Resources

🔗
SignUp
https://eduid.uzh.ch/linking/login
🔗
x-openid-configuration
https://login.eduid.ch/.well-known/openid-configuration
🔗
x-json-schema
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/json-schema/university-of-zurich-userinfo-schema.json
🔗
x-json-structure
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/json-structure/university-of-zurich-userinfo-structure.json
🔗
x-examples
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/examples/university-of-zurich-userinfo-example.json
🔗
x-rules
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/rules/university-of-zurich-rules.yml
🔗
x-vocabulary
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/vocabulary/university-of-zurich-vocabulary.yml
🔗
x-json-ld
https://raw.githubusercontent.com/api-evangelist/university-of-zurich/refs/heads/main/json-ld/university-of-zurich-context.jsonld

OpenAPI Specification

university-of-zurich-eduid-oidc.yaml Raw ↑ 
openapi: 3.0.3
info:
  title: SWITCH edu-ID OpenID Connect (UZH Federated Identity)
  description: >-
    OpenID Connect / OAuth 2.0 provider operated by SWITCH edu-ID and used by the
    University of Zurich as its central federated identity. This OpenAPI document
    is derived faithfully from the published OpenID Connect Discovery document at
    https://login.eduid.ch/.well-known/openid-configuration and the matching JWKS
    endpoint. Only endpoints, parameters, scopes, and claims actually advertised by
    the discovery document are represented here. Authorization Code flow with PKCE
    (S256) is the supported interactive flow; refresh_token is supported for
    token renewal.
  version: '2026-06-03'
  contact:
    name: SWITCH edu-ID
    url: https://login.eduid.ch/
  x-uzh-usage: >-
    UZH services rely on SWITCH edu-ID for SAML/Shibboleth and OpenID Connect
    authentication. See https://www.zi.uzh.ch/en/support/identity-access/eduid-faq.html
servers:
  - url: https://login.eduid.ch
    description: SWITCH edu-ID production issuer
tags:
  - name: Discovery
    description: OpenID Provider metadata and key material
  - name: OAuth2
    description: Authorization and token issuance
  - name: OpenID Connect
    description: Identity, userinfo, and session endpoints
paths:
  /.well-known/openid-configuration:
    get:
      tags: [Discovery]
      operationId: getOpenIdConfiguration
      summary: OpenID Provider configuration (discovery document)
      description: >-
        Returns the OpenID Provider metadata document describing supported
        endpoints, scopes, claims, response types, and signing/encryption
        algorithms.
      responses:
        '200':
          description: Provider metadata
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OpenIdConfiguration'
  /idp/profile/oidc/keyset:
    get:
      tags: [Discovery]
      operationId: getJwks
      summary: JSON Web Key Set (JWKS)
      description: Returns the provider's public keys used for signing and encryption.
      responses:
        '200':
          description: A JWK Set
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/JwkSet'
  /idp/profile/oidc/authorize:
    get:
      tags: [OAuth2]
      operationId: authorize
      summary: Authorization endpoint
      description: >-
        Initiates the OAuth 2.0 Authorization Code flow. PKCE (code_challenge with
        method S256) is supported. The only advertised response_type is "code"
        and response_mode may be query, fragment, or form_post.
      parameters:
        - name: response_type
          in: query
          required: true
          schema:
            type: string
            enum: [code]
        - name: client_id
          in: query
          required: true
          schema:
            type: string
        - name: redirect_uri
          in: query
          required: true
          schema:
            type: string
            format: uri
        - name: scope
          in: query
          required: true
          description: Space-delimited scopes; must include "openid".
          schema:
            type: string
            example: openid profile email
        - name: state
          in: query
          required: false
          schema:
            type: string
        - name: nonce
          in: query
          required: false
          schema:
            type: string
        - name: code_challenge
          in: query
          required: false
          schema:
            type: string
        - name: code_challenge_method
          in: query
          required: false
          schema:
            type: string
            enum: [S256]
        - name: response_mode
          in: query
          required: false
          schema:
            type: string
            enum: [query, fragment, form_post]
      responses:
        '302':
          description: >-
            Redirect back to redirect_uri with an authorization code (or an error).
          headers:
            Location:
              schema:
                type: string
                format: uri
  /idp/profile/oidc/token:
    post:
      tags: [OAuth2]
      operationId: token
      summary: Token endpoint
      description: >-
        Exchanges an authorization code for tokens or refreshes an access token.
        Supported grant types are authorization_code and refresh_token.
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenRequest'
      responses:
        '200':
          description: Token response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '400':
          description: OAuth 2.0 error response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthError'
  /idp/profile/oidc/userinfo:
    get:
      tags: [OpenID Connect]
      operationId: userinfo
      summary: UserInfo endpoint
      description: Returns claims about the authenticated end-user.
      security:
        - bearerAuth: []
      responses:
        '200':
          description: UserInfo claims
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UserInfo'
        '401':
          description: Invalid or missing access token
  /idp/profile/oauth2/introspection:
    post:
      tags: [OAuth2]
      operationId: introspect
      summary: Token introspection endpoint (RFC 7662)
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required: [token]
              properties:
                token:
                  type: string
                token_type_hint:
                  type: string
                  enum: [access_token, refresh_token]
      responses:
        '200':
          description: Introspection result
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/IntrospectionResponse'
  /idp/profile/oauth2/revocation:
    post:
      tags: [OAuth2]
      operationId: revoke
      summary: Token revocation endpoint (RFC 7009)
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required: [token]
              properties:
                token:
                  type: string
                token_type_hint:
                  type: string
                  enum: [access_token, refresh_token]
      responses:
        '200':
          description: Token revoked (or already invalid)
  /idp/profile/oidc/end-session:
    get:
      tags: [OpenID Connect]
      operationId: endSession
      summary: End-session (RP-initiated logout) endpoint
      parameters:
        - name: id_token_hint
          in: query
          required: false
          schema:
            type: string
        - name: post_logout_redirect_uri
          in: query
          required: false
          schema:
            type: string
            format: uri
        - name: state
          in: query
          required: false
          schema:
            type: string
      responses:
        '302':
          description: Redirect after session termination
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
    oidc:
      type: openIdConnect
      openIdConnectUrl: https://login.eduid.ch/.well-known/openid-configuration
  schemas:
    OpenIdConfiguration:
      type: object
      description: OpenID Provider metadata as advertised by the discovery endpoint.
      properties:
        issuer:
          type: string
          format: uri
          example: https://login.eduid.ch/
        authorization_endpoint:
          type: string
          format: uri
        token_endpoint:
          type: string
          format: uri
        userinfo_endpoint:
          type: string
          format: uri
        introspection_endpoint:
          type: string
          format: uri
        revocation_endpoint:
          type: string
          format: uri
        end_session_endpoint:
          type: string
          format: uri
        jwks_uri:
          type: string
          format: uri
        scopes_supported:
          type: array
          items:
            type: string
        response_types_supported:
          type: array
          items:
            type: string
        response_modes_supported:
          type: array
          items:
            type: string
        grant_types_supported:
          type: array
          items:
            type: string
        code_challenge_methods_supported:
          type: array
          items:
            type: string
        token_endpoint_auth_methods_supported:
          type: array
          items:
            type: string
        subject_types_supported:
          type: array
          items:
            type: string
        id_token_signing_alg_values_supported:
          type: array
          items:
            type: string
        claims_supported:
          type: array
          items:
            type: string
    JwkSet:
      type: object
      properties:
        keys:
          type: array
          items:
            $ref: '#/components/schemas/Jwk'
    Jwk:
      type: object
      properties:
        kty:
          type: string
          example: RSA
        use:
          type: string
          enum: [sig, enc]
        kid:
          type: string
        alg:
          type: string
          nullable: true
        n:
          type: string
        e:
          type: string
        crv:
          type: string
        x:
          type: string
        y:
          type: string
    TokenRequest:
      type: object
      required: [grant_type]
      properties:
        grant_type:
          type: string
          enum: [authorization_code, refresh_token]
        code:
          type: string
        redirect_uri:
          type: string
          format: uri
        code_verifier:
          type: string
        refresh_token:
          type: string
        client_id:
          type: string
        client_secret:
          type: string
    TokenResponse:
      type: object
      required: [access_token, token_type]
      properties:
        access_token:
          type: string
        token_type:
          type: string
          example: Bearer
        expires_in:
          type: integer
        scope:
          type: string
        id_token:
          type: string
          description: Signed JWT ID token (present when openid scope requested).
        refresh_token:
          type: string
    OAuthError:
      type: object
      properties:
        error:
          type: string
        error_description:
          type: string
    IntrospectionResponse:
      type: object
      properties:
        active:
          type: boolean
        scope:
          type: string
        client_id:
          type: string
        token_type:
          type: string
        exp:
          type: integer
        iat:
          type: integer
        sub:
          type: string
        aud:
          type: string
        iss:
          type: string
    UserInfo:
      type: object
      description: >-
        Claims about the end-user. Only claims advertised in claims_supported by
        the discovery document are listed; many are SWITCH edu-ID specific
        (swissEduPerson*, swissEduID*) or eduPerson schema attributes.
      properties:
        sub:
          type: string
        name:
          type: string
        given_name:
          type: string
        family_name:
          type: string
        gender:
          type: string
        birthdate:
          type: string
        locale:
          type: string
        email:
          type: string
          format: email
        email_verified:
          type: boolean
        swissEduID:
          type: string
        swissEduIDUniqueID:
          type: string
        swissEduIDAssuranceLevel:
          type: string
        swissEduPersonUniqueID:
          type: string
        swissEduPersonMatriculationNumber:
          type: string
        swissEduPersonHomeOrganization:
          type: string
        swissEduPersonHomeOrganizationType:
          type: string
        eduPersonAffiliation:
          type: array
          items:
            type: string
        eduPersonScopedAffiliation:
          type: array
          items:
            type: string
        eduPersonPrincipalName:
          type: string
        eduPersonOrcid:
          type: string
        schacHomeOrganization:
          type: string
        schacHomeOrganizationType:
          type: string