Feasability study

Project

The goal of the Feasibility Study Federated Identity Management.nrw (FIDM) is to develop and design a joint approach for a federated identity management system in NRW (North Rhine Westphalia). Both collection and analysis of data have been carried out under the consideration of existing cooperation projects (i.e. Sciebo, HPC). It involves the preparation of the current research status, as well as the collection of existing activities (i.e. within the DFN-AAI federation, ZKI and projects in Sachsen and Baden-Württemberg). An implementation in connection with follow-up funding for the second project phase should be evaluated and assessed regarding requirements.

Goal

The overall goal of an (FIDM) is to provide easy access to IT-services from higher education schools for scientists, teachers and administrative purposes and in return offer easy access to those services to members from other schools. Strengthening the infrastructure is a main topic of this project. Evaluating whether an FIDM is possible and if there is a need for it in NRW was very important as well. The conducted online survey with 25 schools and interviews with service providers proved the theory right. Almost every school sees an FIDM as a necessity.

 

As the Digital College (DH.NRW) and the Ministry for culture and science are supporting services provided by higher education schools, the numbers of services and users are constantly increasing. However, there is still much to do in order to achieve a successful implementation of an FIDM in NRW. Technical difficulties as well as requirements given by schools still need to be solved. Ultimately, users should be able to access services in the fields of science and apprenticeship quickly and easily.  

Requirements and basic principles

The proof of concept brought up relevant findings regarding central requirements for a federated identity management system. They were already designed for sustainable usability when the data was collected. The generated concept is now largely contributing to further development and unification of processes surrounding IDM. Where appropriate, processes are developed once, after which all members of DH.NRW can use them. The common understanding increases the permeability of the process organization, which is a requirement for service delivery.

Regarding a federated identity management system, basic principles were defined based on experiences gained during the feasibility study:

  • There will be no central identity management system for NRW
  • There will be neither an additional user management nor a collection of personal attributes for NRW
  • The implementation concept for IDM operators and service providers will be designed as easily as possible (Keep it short and simple)
  • Sovereignty of data, rights and rolls will remain solely at each school or service provider

IDM.nrw focusses on processes and coordination between each school and their IDM systems. In the first instant, the system landscape in NRW was examined in order to get an overview of existing IDM systems and individual IDM processes. The goal was to determine requirements, which need to be evaluated during the project. Afterwards the service landscape has been evaluated in the same manner. Especially data security as well as defining common attributes, standard interfaces and a homogenous management of rolls and rights are important. Frequent and open communication with schools in NRW is the basis for transparency and hence trust. In the next phase, concepts derived from the results of the feasibility study will be elaborated into technical concepts.

State-wide cooperation of universities

There are important topics, which need to be addressed for a successful and expedient accomplishment of the project. Therefore, solutions need to be accessible for all schools. It enables even smaller institutions to maximize the output while minimizing the effort. Including existing standards, services and established techniques provide a good basis. As a result, the goal of “Identification of common technical and organizational measures for usage of other services based on local identities” will be reached. For a successful FIDM, crucial aspects must be met. A nationwide understanding is necessary in order to achieve a high level of awareness. IDM.nrw offers purely technical and organizational solutions of an implementation. Not however legal responsibility. Therefore, each school is responsible for coordinating solution concepts with data protection officers and staff council, prior to implementing it.

Result

With an online survey, the status of IDM services in NRW has been determined. Since the field of IDM is very large and has many facets, only specific topics were included in the survey. It was followed by interviews with IDM experts as well as surveys with service providers. The results are listed in the final report. One of the main results is that approximately 96% of the participating schools are in need of a federated identity management system and thus to use/ offer services from/ to others schools in NRW. Accordingly, requirements and wishes for an FIDM were stated.

Central persons groups

An example is the establishment of a concept for a unified administration of rolls and rights. Many higher education schools already have a concept for the administration of rolls. However, the concepts of each school vary a lot. This includes the lack of specific and unified conceptual knowledge in the IDM field, such as central persons groups at schools. It is especially important for service providers in order to specify the access to their services.

To generate a mutual understanding, it is important to develop constructs to agree on basic central terms and their definitions in order to achieve alignment of definitions and person groups. It would otherwise cause a great potential for conflicts, followed by high communication efforts. It is however not necessary to achieve overall uniformity. Nonetheless, each schools needs to have specific definitions of each group in order to convey a uniformly status exchange between federated identity management systems.

Since the German research and education network (DFN) has already done preliminary work in this case along with providing best practices, the task of central persons groups will be edited in close coordination with the DFN. For status groups, the state university law uses the attributes eduPersonAffiliation and scopedEduPersonAffiliation. They will also be used by IDM.nrw.  

Standardized attributes

Another important requirement in the lack of standardized attributes in NRW in order to realize the implementation of services easily and quickly. By founding an NRW sub federation within den DFN-AAI, communication between schools regarding attributes will be simplified. A list of examples for unified attributes based on best practices provided by the DFN-AAI has been defined during the feasibility study. Especially the concepts eduPerson and SCHAC were taken into consideration.

Evaluation of technologies

Furthermore, knowhow of intercourses and technologies of higher education schools has been evaluated during a study. Every school already uses and/ or knows Shibboleth, enabling federative access to web based technologies. Encryption via SAML dominates in this case.

The survey proved that the following technologies can be seen as basis technologies in NRW:

  • Active Directory
  • Lightweight Directory Access Protocol
  • Shibboleth (for web based user interfaces)
  • SSH (for non-web bases user interfaces)

Communication and transparency

Advertising the project in NRW is of great importance. The survey as well as a number of events contributed to that. Early on, schools in NRW should be included in the process by conducting events and talks. This provides opportunities for them to contribute in early stages of IDM.nrw. The results will be taken into consideration during further development and optimization of concepts.

Generating strong commitment is also a very important topic. It is desirable that schools are willing to implement joint attributes as well as a joint administration of rolls and rights into their own identity management systems.

The team from IDM.nrw will work on these goals during the next project phase.