Implementation project Federated Identity Management.nrw

Contents

Project

In September 2021, the implementation project Federated Identity Management.nrw (IDM.nrw) started with a project duration of three years. The acquired theoretical knowledge will be transformed step by step into a workable project. The acquired interim results from the feasibility study will be further deepened, so that after only six months the first results will be published and further developed for implementation. The implementation of the results in the state will be accompanied and its progress reported within DH.NRW.

During the project period, there will be close cooperation with the DFN as well as with similar initiatives in other federal states. In this course, among others, an alliance bwIDM and IDM.nrw with the Karlsruhe Institute of Technology will be founded. The follow-up project of KIT bwIDM2 will start at the same time as the implementation project in IDM.nrw. Due to the close cooperation, both states will benefit from each other's experience and use synergy effects that have not been tapped so far.

Twice a year, state-wide workshops will also be offered to all higher education institutions in NRW. In this way, they can get involved in the design of the project at an early stage and contribute their requirements. Click here to register. 

This results in various benefits for users and service providers:

      DFN-AAI

      The DFN-AAI federation creates the necessary relationship of trust as well as an organizational and technical framework for the exchange of user information between institutions and service providers. Thus, users of institutes and institutions with their local identifier can gain nationwide access to web-based services of other institutions by successfully authenticating against their home institution. As a federation operator, DFN-AAI only provides the technical metadata; DFN AAI does not intervene in bilateral agreements between IdP and SP operators, which are (usually) independent responsible bodies. This means that standardizing the basis for authorization for universities (both service users and service providers) is still a challenge. Furthermore, conceptual solutions that enable federated access to non-web-based services do not yet exist.

      IDM.nrw wants to meet these challenges and create a process infrastructure for this purpose. The complementary processes are to be integrated into the existing DFN AAI federation. Therefore, in the first step, the foundation of a NRW sub-federation, which will be integrated into the DFN AAI, will be the first basic building block for the establishment of a FIDM.

      In particular, this involves the standardization and unification of various processes and definitions and the derivation of NRW standards, which will ensure a quick and easy connection to existing and future services for all institutions.

      This results in several advantages for the universities:

      • Easy use of services
      • Uncomplicated, joint use of non-web-based services in NRW with members of other universities
      • Learning of new technologies
      • Uniform understanding of roles and rights
      • Simple and secure transfer of roles and rights between universities
      • Standardized attributes
      • Differentiated status group membership
      • Less bureaucracy due to elimination of paper applications
      • Less effort in maintaining personal data and lifecycle management
      • Creation of a basic basis for participation in national and Europe-wide activities

      Goal

      The goal of implementation project phase is to finally realize and implement a federated identity management in NRW. Based on the rough concepts developed in the feasibility study, ready-made functional concepts will be designed with the help of use cases and made available to the universities in NRW. The aim is to agree on a NRW standard in certain IDM areas in order to make service use and service provision simple and available to all institutions.  

      The project phase is divided into the following pillars and the associated responsibilities:

      In addition to the technical component, coordination and agreement between the individual university institutions in NRW will also be an important factor. By revising the results from the feasibility study, definitions for central groups of persons will be determined. On the one hand, individual case decisions at universities will be identified and on the other hand, the handling of "alumni", "guests", etc. will be determined. For this purpose, a regular exchange with the universities is of central importance. They should then (voluntarily) agree to implement the results in their institutions.

       

      NRW Subfederation

      In addition to the coordination of central groups of people, a common attribution in the DFN AAI will take place with the DFN (pillar I). This includes the names, the technical form as well as the values of the attributes. This should result in a uniform standard for the universities in NRW. By involving the DH.NRW projects, the concepts will be tested on the basis of use cases.

      Last but not least, a NRW subfederation is being set up at DFN, in which all universities in NRW can participate. The states of Schleswig-Holstein and Baden-Württemberg are also working on a FIDM. In this connection, it will be examined whether a FIDM is theoretically also possible throughout Germany. This would allow an even wider range of services to be offered and used. However, a concrete implementation is not yet planned at this point.

      Throughout the project, it is important to involve the universities. Solutions that cannot be implemented in general are not effective. Therefore, self and external evaluations will be carried out after each milestone has been reached. On the one hand, they are carried out by the project team itself, and on the other hand, an evaluation of the universities in NRW is obtained in the form of workshops, which take place at least twice a year. This ensures an efficient benefit for all parties involved.

       

      Alliance bwIDM and IDM.nrw

      The already existing cooperation with the Karlsruhe Institute of Technology (KIT-SCC) will be intensified in this project. The universities in Baden-Württemberg are simultaneously planning the two-year follow-up project "bwIDM2" as a follow-up to "bwIDM". In the form of an alliance foundation bwIDM and IDM.nrw, the two projects from NRW and Baden-Württemberg will jointly develop concepts. The aim is to work synchronously in order to advance the project together. In the course of this, a joint further development of the existing bwIDM solution will take place in order to meet the requirements that are independent in both federal states. In this way, synergy effects that have not yet been tapped can be used. A joint requirements analysis will aim at mutually transferable blueprints for adaptable solutions at the respective locations. This will ensure cross-national cooperation and the fit of both concepts. Furthermore, the evaluation of new technologies will be in the foreground. This will involve the evaluation of new technologies on the market, using jointly defined and established evaluation criteria.

      In addition, cooperation with Schleswig-Holstein, which is also planning a FIDM, is being sought. Interim & final results will be discussed in regular exchanges. In this way, the federal states are to benefit from each other's experience and support each other. Compatibility between the different concepts is also ensured in this way.

       

      Technologies and implemenation

      Furthermore, (new) technologies (pillars II and III) are evaluated, in case of mutual benefit also in cooperation with bwIDM2. In addition to reg-app, we also evaluate technologies around Shibboleth (e.g. multi-factor authentication, Open ID Connect). Subsequently, concepts for implementation are developed, which are tested in selected use cases. This will be done in cooperation with institutions in NRW (pillars IV and V). Among other things, mutual access to HPC clusters of RWTH and KIT will be tested.

      The last step will be the realization and integration of the solution concepts in the consortium and the inclusion of further universities in NRW. With best practice examples and defined framework conditions, local IDM systems are to be integrated into the federation.

      The developed (interim) results will be presented continuously on the website as well as in a wiki. 

      Results

      Short survey on service usage among users of higher education institutions

      The IDM.nrw consortium conducted a short survey on service usage in NRW among users of higher education institutions in NRW, especially those of the consortium. The aim was to gain an initial impression of whether there is interest in using remote services across universities. For this purpose, researchers and teachers from the universities were asked to participate in a short survey. Both closed and open-ended questions were used. A total of 349 members of higher education institutions participated in the survey, 302 of whom are research and/or teaching members.

      The report on the brief survey "Bericht Kurzumfrage zur Servicenutzung bei Nutzer*innen" can be found here.

       

      NRW Subfederation

      The authentication and authorization infrastructure of the German Research Network (DFN-AAI) already offers the possibility to access web-based services across universities. It also provides an infrastructure and creates a trust relationship between organizations. IDM.nrw wants to complement this infrastructure and create NRW standards as well as enable cross-university access to non-web-based services. Therefore, a NRW subfederation has been established within DFN-AAI.

      The subfederation will significantly simplify future service connections, as access to the subfederation only needs to be granted once. Participating universities in North Rhine-Westphalia (NRW) will no longer have to make individual agreements with the participating services. This applies in particular with regard to federal, European or worldwide federations.

      The entity category "http://aai.dfn.de/category/idm.nrw-member" has already been established at DFN-AAI. The corresponding metadata is available here.

      In order to participate in the NRW subfederation, only a head office in NRW is required. In the further course of the project, IDM.nrw will develop and announce recommendations and best practices for uniform attributes, central groups of persons, and role and rights management. This is intended to maximize the benefits for all parties involved.

      To join the NRW subfederation, please contact project management.

       

      Common attributes

      In order to provide services for users, service providers need certain data from a person. For example, employees of universities usually have different rights than students. Such characteristics are conveyed with attributes. In addition to non-identifying characteristics such as the postal code of the place of residence, attributes can also contain values that allow conclusions to be drawn about the identity of the user. Examples are a unique identifiers, the e-mail address, or surname and first name. Attributes required by service providers to make the service available to users vary from service to service.

      The authentication and authorization infrastructure of the German Research Network (DFN-AAI) has published a list of the most common attributes, including an associated object identification number (ObjectID). The OID serves as a unique, non-changeable identifier of the attribute. The entities that manage identities - such as universities (identity providers) - forward the required and requested attributes to the services (service providers), after the user has given their consent. This consent is requested prior to initial registration.

      Until now, universities and services have had to reach individual agreements on the form in which the attributes are transmitted. This requires a lot of effort and delays the connection of the services to the universities and in consequence the possibility to use the service. This procedure is very complicated for users, since they cannot easily see which university which service comes from and whom they should contact for assistance. In addition, they have to wait unnecessarily to access a service.

      In order to avoid this, NRW universities should agree on the set of attributes that should generally be released among each other in the NRW Subfederation. In order to ensure an exchange of information between identity provider and service provider, it is desirable that all attributes are subject to a uniform structure. This applies in particular to attributes that are used for the correct assignment of rights (e.g. student). Up to now, there is no uniformity in this area in NRW.

      Attribute recommendations

      In the feasibility study, an attribute list has already been created based on the best practice recommendations of the DFN-AAI. This list was reviewed in the implementation project and extended in cooperation with the universities in NRW. The goal of the task is to develop an attribute format and a common set of basic attributes for NRW that is as uniform as possible.

      IDM.nrw recommends that identity providers in NRW always release a number of attributes within the NRW subfederation if the service provider specifies them as required. Conversely, service providers should also restrict themselves to these attributes. This ensures that the smallest possible number of attributes is transmitted and that no individual agreements are necessary. 

      DFN-AAI has already developed a number of attribute standards that make it easy to technically exchange attributes between service providers and identity providers. In part, these attributes have become a worldwide standard. Where necessary, IDM.nrw has extended these standards with specific attributes. All attributes newly created by the consortium have the prefix idmNrw to make them recognizable. Prefixing the NRW scope makes sense at the time of the implementation project, since a uniform form for North Rhine-Westphalia is to be found first. For interoperability with other federal states, rework will have to be done at a given time. The attributes are listed on the DFN-AAI page.

      The complete (interim) results can be found in the IDM.nrw wiki.

       

      Evaluation of technologies

      The evaluation of (new) technologies is the basis to achieve the technical part of the project goal. Therefore the consortium first collected a number of technologies with which federated identity management can potentially be realized in NRW. These include technologies from the areas of authentication, multi-factor authentication or group management. In addition, there are methods for the secure and data-saving exchange of information.

      The technologies are evaluated and assessed for their suitability on the basis of defined criteria. In the case of certain technologies, the evaluation is carried out in cooperation with bwIDM2 in order to benefit from mutual knowledge and experience.

      There is also close cooperation with the universities in NRW, especially in this work package. In addition to the biannual state-wide IDM.nrw forum, special technology workshops are held. At these workshops, results from IDM.nrw are presented and input is also sought from the universities. Click here to register.

      The complete (interim) results can be found in the IDM.nrw wiki.

       

      Central groups of persons

      Members of higher education institutions have a number of rights at their institutions that are specific to their position or status. For example, professors have access to learning systems, but finance staff do not. Members of higher education institutions belong to specific groups of people within the university (e.g., student assistants or full-time professors). This information is assigned to a status within the university (member, affiliated, and non-affiliated). Which group of persons has which status is regulated by law in the State University Act, the Art University Act, university statutes and other bases.

      Based on this, universities assign the groups of persons to the eduPersonAffiliations. They are recommended for general use by the Authentication and Authorization Infrastructure of the German Research Network (DFN-AAI). These include:

      • Other
      • Staff
      • Faculty
      • Student
      • Affiliate
      • alum
      • library walk-in

      Based on these eduPersonAffuliations, service providers assign special rights to users. This makes individual assignment of rights superfluous and speeds up processes.

      At present, the universities in NRW have various central groups of persons. They differ both in designation and definition. For the successful implementation of a federated identity management, it is desirable to achieve harmonization in NRW.

      The goal of this work package is therefore a common understanding of which groups of persons exist and to which affiliations / statuses they are to be mapped. The results are intended to provide a guideline/recommendation to which universities can orient themselves.

      Detailed results are published in the IDM.nrw wiki.

      Use Cases

      Competence Center E-Akte.nrw

      E-Akte.nrw develops a common understanding and recommendations on the procedure for transparent, secure and sustainable digital file management.

      The project supports universities with the introduction, expansion and operation of a document management system by offering concrete consulting services, establishing training measures in cooperation with HÜF and providing a multi-client capable document management system.

      Furthermore, E-Akte.nrw initiates and accompanies the exchange of information between universities on the implementation of digital file management, also by networking with other specialized procedures and projects in NRW.

      The project designs and coordinates the creation of generic e-file solutions (master file solution), accompany the process of university-specific adaptation and ensure that the implementation remains future-proof. New requirements and changes are taken up and existing master file solutions are further developed in a cooperative manner. (cf. https://e-akte.dh.nrw)

      IDM.nrw develops uniform role formats in the IDM.nrw format for the competence center E-Akte.nrw.

      The project has not joined the NRW subfederation.

       

      Datensicherung.nrw (Data backup)

      In the course of the digitization of more and more business processes, universities - organizations in general - are dependent on the availability and persistence of stored data as a basis for their work. Research, teaching and administration are hardly capable of acting without their respective data. The backup of all data and the ability to restore it quickly when needed are thus supporting pillars of digital sovereignty.

      Since this situation is common to all universities and, at the same time, operational requirements are constantly increasing due to the large number of different data-holding systems and the threat to IT supply is growing rapidly, especially due to cyber attacks, universities in North Rhine-Westphalia (NRW) have initiated the Datensicherung.nrw project.

      The aim of this project is to provide a high-performance data backup service for universities in NRW based on a division of labor. In order to meet this requirement, special attention is paid to the scalability of the concepts and solutions developed.

      In order to map these responsibilities even in the case of different organizational structures for Datensicherung.nrw, a role model was developed in close cooperation with IDM.nrw, which is able to map university-central and decentral responsibilities, among other things.

      Status January 2023

       

      Coscine.nrw

      "At RWTH Aachen University, the research data platform Coscine has been developed as open source software since 2018 and is used for the management of research (meta)data, as well as for the allocation and provisioning of storage resources for research data. Coscine is developed according to the FAIR principles and implements interfaces for the so-called FAIR Digital Objects. For researchers, Coscine offers access to all research data of a research project and, for example, to the RDS.NRW system, linking with project- or subject-specific metadata as well as the management of project members. Thanks to the low-threshold access management, Coscine can be used as a collaboration platform beyond university boundaries. The development of Coscine also incorporates the findings and requirements from national (NFDI, NHR) and international projects (EOSC, gaia-x, RDA), thus enabling both subject-specific and cross-disciplinary use of the platform. As part of the project, the permanent service Coscine.nrw will be established, making the Coscine software available to all DH.NRW universities." Source: DH.NRW

      In order to be able to transfer roles in a uniform format, Coscine.nrw is developing roles in IDM.nrw format in close cooperation with IDM.nrw.

      Services in NRW

      Please click here.