Implementation phase Federated Identity Management.nrw
In September 2021, the follow-up project Federated Identity Management.nrw (IDM.nrw) started with a project duration of three years. The acquired theoretical knowledge will be transformed step by step into a workable project. The acquired interim results from the feasibility study will be further deepened, so that after only six months the first results will be published and further developed for implementation. The implementation of the results in the state will be accompanied and its progress reported within DH.NRW.
During the project period, there will be close cooperation with the DFN as well as with similar initiatives in other federal states. In this course, among others, an alliance bwIDM and IDM.nrw with the Karlsruhe Institute of Technology will be founded. The follow-up project of KIT bwIDM2 will start at the same time as the follow-up project in IDM.nrw. Due to the close cooperation, both states will benefit from each other's experience and use synergy effects that have not been tapped so far.
Twice a year, state-wide workshops will also be offered to all higher education institutions in NRW. In this way, they can get involved in the design of the project at an early stage and contribute their requirements. Click here to register.
The DFN-AAI federation creates the necessary relationship of trust as well as an organizational and technical framework for the exchange of user information between institutions and service providers. Thus, users of institutes and institutions with their local identifier can gain nationwide access to web-based services of other institutions by successfully authenticating against their home institution. As a federation operator, DFN-AAI only provides the technical metadata; DFN AAI does not intervene in bilateral agreements between IdP and SP operators, which are (usually) independent responsible bodies. This means that standardizing the basis for authorization for universities (both service users and service providers) is still a challenge. Furthermore, conceptual solutions that enable federated access to non-web-based services do not yet exist.
IDM.nrw wants to meet these challenges and create a process infrastructure for this purpose. The complementary processes are to be integrated into the existing DFN AAI federation. Therefore, in the first step, the foundation of a NRW sub-federation, which will be integrated into the DFN AAI, will be the first basic building block for the establishment of a FIDM.
In particular, this involves the standardization and unification of various processes and definitions and the derivation of NRW standards, which will ensure a quick and easy connection to existing and future services for all institutions.
This results in several advantages for the universities:
- Easy use of services
- Uncomplicated, joint use of non-web-based services in NRW with members of other universities
- Learning of new technologies
- Uniform understanding of roles and rights
- Simple and secure transfer of roles and rights between universities
- Standardized attributes
- Differentiated status group membership
- Less bureaucracy due to elimination of paper applications
- Less effort in maintaining personal data and lifecycle management
- Creation of a basic basis for participation in national and Europe-wide activities
The goal of the second project phase is to finally realize and implement a federated identity management in NRW. Based on the rough concepts developed in the feasibility study, ready-made functional concepts will be designed with the help of use cases and made available to the universities in NRW. The aim is to agree on a NRW standard in certain IDM areas in order to make service use and service provision simple and available to all institutions.
The project phase is divided into the following pillars and the associated responsibilities:
In addition to the technical component, coordination and agreement between the individual university institutions in NRW will also be an important factor. By revising the results from the feasibility study, definitions for central groups of persons will be determined. On the one hand, individual case decisions at universities will be identified and on the other hand, the handling of "alumni", "guests", etc. will be determined. For this purpose, a regular exchange with the universities is of central importance. They should then (voluntarily) agree to implement the results in their institutions.
NRW Sub federation
In addition to the coordination of central groups of people, a common attribution in the DFN AAI will take place with the DFN (pillar I). This includes the names, the technical form as well as the values of the attributes. This should result in a uniform standard for the universities in NRW. By involving the DH.NRW projects, the concepts will be tested on the basis of use cases.
Last but not least, a NRW subfederation is being set up at DFN, in which all universities in NRW can participate. The states of Schleswig-Holstein and Baden-Württemberg are also working on a FIDM. In this connection, it will be examined whether a FIDM is theoretically also possible throughout Germany. This would allow an even wider range of services to be offered and used. However, a concrete implementation is not yet planned at this point.
Throughout the project, it is important to involve the universities. Solutions that cannot be implemented in general are not effective. Therefore, self and external evaluations will be carried out after each milestone has been reached. On the one hand, they are carried out by the project team itself, and on the other hand, an evaluation of the universities in NRW is obtained in the form of workshops, which take place at least twice a year. This ensures an efficient benefit for all parties involved.
Alliance bwIDM and IDM.nrw
The already existing cooperation with the Karlsruhe Institute of Technology (KIT-SCC) will be intensified in this project. The universities in Baden-Württemberg are simultaneously planning the two-year follow-up project "bwIDM2" as a follow-up to "bwIDM". In the form of an alliance foundation bwIDM and IDM.nrw, the two projects from NRW and Baden-Württemberg will jointly develop concepts. The aim is to work synchronously in order to advance the project together. In the course of this, a joint further development of the existing bwIDM solution will take place in order to meet the requirements that are independent in both federal states. In this way, synergy effects that have not yet been tapped can be used. A joint requirements analysis will aim at mutually transferable blueprints for adaptable solutions at the respective locations. This will ensure cross-national cooperation and the fit of both concepts. Furthermore, the evaluation of new technologies will be in the foreground. This will involve the evaluation of new technologies on the market, using jointly defined and established evaluation criteria.
In addition, cooperation with Schleswig-Holstein, which is also planning a FIDM, is being sought. Interim & final results will be discussed in regular exchanges. In this way, the federal states are to benefit from each other's experience and support each other. Compatibility between the different concepts is also ensured in this way.
Technologies and implementation
Furthermore, (new) technologies (pillars II and III) are evaluated, in case of mutual benefit also in cooperation with bwIDM2. In addition to reg-app, we also evaluate technologies around Shibboleth (e.g. multi-factor authentication, Open ID Connect). Subsequently, concepts for implementation are developed, which are tested in selected use cases. This will be done in cooperation with institutions in NRW (pillars IV and V). Among other things, mutual access to HPC clusters of RWTH and KIT will be tested.
The last step will be the realization and integration of the solution concepts in the consortium and the inclusion of further universities in NRW. With best practice examples and defined framework conditions, local IDM systems are to be integrated into the federation.
The developed (interim) results will be presented continuously on the website as well as in a wiki.
Services in NRW
Please click here.