Project
The specific objective of the project Feasibility study federated Identity Management.nrw is the development and conceptual design of a common approach to establish a federated Identity Management for North Rhine-Westphalia (NRW). Data collection and processing will be carried out with special consideration of already existing cooperation projects (e.g. Sciebo, HPC). Among other things, this involves the preparation of a current state of research on the topic, as well as the collection of already existing activities (e.g. German Research and Education Network - Authentication and authorization infrastructure [DFN-AAI] Federation, centres for communication and information processing [ZKI] and projects in Saxony and Baden-Württemberg). Perspectively, the implementation is to be evaluated in the context of a possible follow-up funding and assessed with regard to the needs.
Goal
The overall goal of this project is to significantly simplify access to IT services from other universities for researchers and teachers as well as for decentralized administrative tasks, thus making them accessible to a wide range of users. Conversely, service offerings can be offered to a larger than local user group. Strengthening the infrastructure is the focus of the project. In particular, it was important to find out whether federated identity management (FIDM) is possible and whether there is a need for it in NRW. An online survey and expert interviews with 25 universities in NRW and service providers confirmed this thesis. Almost all of the universities surveyed see a strong need to offer or use services across universities.
The number of services is also growing steadily thanks to the support of the Digital University.NRW (DH.NRW) and the Ministry of Culture and Science. However, there is still a long way to go. In addition to technical challenges, the participants identified key requirements. The aim is to enable users to access services quickly and easily, especially in the areas of research and teaching.
Requirements and basic principles
The feasibility study yielded new insights into the relevant requirements for a FIDM. These findings were already designed for sustainable usability when the data was generated. The generated concept contributes significantly to the further development and standardization of processes around IDM. Processes are developed once, if necessary, and can be used at all member institutions of the Digital University NRW (DH.NRW). The common understanding increases the permeability of the process organization. This is a prerequisite for mutual service provision.
As part of the feasibility study, the experience gathered was defined in the form of basic principles with regard to federated identity management:
- There should be no central IDM system for NRW.
- The concept and implementation for local IDM operators and service providers should be as simple as possible.
- The sovereignty over data as well as rights and roles remains with the institutions or service providers.
- Establishment of uniform processes and standards
IDM.nrw is more concerned with the process level and the cooperation between the individual universities and their IDM systems. In order to obtain an overview of existing IDM systems and the individual IDM processes in NRW, the system landscape was first examined. The goal was, among other things, to find out where there are requirements that will be considered in the project. The service landscape in NRW was also considered in this context, as there are requirements that need to be addressed here as well. You can read the results that emerged from the survey here. In particular, data security, as well as the definition of common attributes, standard interfaces and uniform role and rights management are important. In order to ensure transparency and to involve the universities, open and regular communication is necessary. The rough concepts derived from the results will be developed into finished specialized concepts in the implementation phase.
State-wide university cooperation
For the successful and goal-oriented implementation of the project, a number of important points must be taken into account. For example, elaborated solutions must be accessible to all universities. This enables even smaller universities to achieve maximum results with minimum effort. The consideration of existing standards and services as well as established techniques offers a very good basis for this. The goal of "identifying common technical and organizational measures for the use of remote services in NRW based on local identities" is to be achieved in this way. The fasability study phase is described in detail in the final report. There are central aspects that must be fulfilled for a FIDM. On the one hand, reach must be created, for which a state-wide understanding is necessary. IDM.nrw offers purely technical and organizational solutions for implementation. Legal responsibility is not assumed. Therefore, all universities themselves are responsible for coordinating solution concepts with the data protection officers and the staff councils before implementation.
Result
With the help of an online survey, we recorded the status quo of the IDM system landscape. Since the IDM area is very large and, above all, has many facets, only specific topics were surveyed. Subsequently, we conducted expert interviews with IDM specialists and surveys with service providers. You can find the detailed results here. The most important results are described below. One of the most important results is that approximately 96% of the universities surveyed see a need for cross-university identity management. This means that the need to use or offer federated services was recognized in NRW. In this context, wishes and requirements for a federated IDM were made.
Central persons groups
One example is the establishment of a unified group/role management. From the survey it is clear that very many universities have a concept on the subject of role administration. However, these differ greatly in their implementation. In relation to this, there is a lack of clear and uniform terminology in the area of IDM, such as the topic of central groups of persons at universities. Especially for service providers this topic is very important to specify the service access.
For mutual understanding it is indispensable to develop constructs to agree at least on certain basic terms and their meaning in order to achieve harmonization of different definitions of groups of persons. Otherwise, too much divergence causes a great potential for conflict and a great deal of coordination. However, exact uniformity is not mandatory. What is important is that the universities have an exact definition of the groups internally. This allows a uniform status to be reliably communicated to FIDM.
Since there is already preliminary work and best practices from DFN, the definition should be done in close coordination with DFN. The State University Act of North Rhine-Westphalia distinguishes between two status groups. Members and affiliates. DFN-AAI uses the attributes eduPersonAffiliation and scopedEduPersonAffiliation for the status groups. These are adopted by IDM.nrw.
Common attributes
Another very important requirement is the lack of common attributes in NRW to realize the service connection quickly and easily. With the establishment of a NRW subfederation in DFN-AAI, attributes defined for NRW will facilitate the interaction between universities and service providers. In the feasibility study, a list was developed as an approach for common attributes, which is based on the best practice recommendation of the DFN-AAI. In particular, the eduPerson and SCHAC concepts were considered.
Evaluation of technologies
Furthermore, the (technical) know how regarding interfaces and further technologies was asked in the context of the surveys. All interviewed universities already use and/or know Shibboleth and have the possibility to federatively access web-based technologies. Encryption using SAML dominates here.
The survey confirmed that the following technologies can be regarded as basic technologies:
- Active Directory
- Lightweight Directory Access Protocol
- Shibboleth (for web-based interfaces)
- SSH (for non-web-based interfaces)
Communication and transparency
Making the project known in NRW is an important issue. The survey as well as some events during the feasibility study already contributed to this. The universities are to be involved at an early stage through regular workshops and discussions. This gives them the opportunity to provide feedback and to participate in the early stages of the project. The results will be incorporated into the optimization of the concepts.
In addition, it is of central importance to create a certain degree of commitment. It is desirable that the universities agree to uniformly adopt the jointly defined attributes, as well as the role & rights management.
This topic will be examined and worked on more intensively in the implementation project.