Implementation project Federated Identity Management.nrw

Project

In September 2021, the implementation project Federated Identity Management.nrw (IDM.nrw) started with a project duration of three years. The acquired theoretical knowledge will be transformed step by step into a workable project. The acquired interim results from the feasibility study will be further deepened, so that after only six months the first results will be published and further developed for implementation. The implementation of the results in the state will be accompanied and its progress reported within DH.NRW.

During the project period, there will be close cooperation with the DFN as well as with similar initiatives in other federal states. In this course, among others, an alliance bwIDM and IDM.nrw with the Karlsruhe Institute of Technology will be founded. The follow-up project of KIT bwIDM2 will start at the same time as the implementation project in IDM.nrw. Due to the close cooperation, both states will benefit from each other's experience and use synergy effects that have not been tapped so far.

Twice a year, state-wide workshops will also be offered to all higher education institutions in NRW. In this way, they can get involved in the design of the project at an early stage and contribute their requirements. Click here to register. 

 

DFN-AAI

The DFN-AAI federation creates the necessary relationship of trust as well as an organizational and technical framework for the exchange of user information between institutions and service providers. Thus, users of institutes and institutions with their local identifier can gain nationwide access to web-based services of other institutions by successfully authenticating against their home institution. As a federation operator, DFN-AAI only provides the technical metadata; DFN AAI does not intervene in bilateral agreements between IdP and SP operators, which are (usually) independent responsible bodies. This means that standardizing the basis for authorization for universities (both service users and service providers) is still a challenge. Furthermore, conceptual solutions that enable federated access to non-web-based services do not yet exist.

IDM.nrw wants to meet these challenges and create a process infrastructure for this purpose. The complementary processes are to be integrated into the existing DFN AAI federation. Therefore, in the first step, the foundation of a NRW sub-federation, which will be integrated into the DFN AAI, will be the first basic building block for the establishment of a FIDM.

In particular, this involves the standardization and unification of various processes and definitions and the derivation of NRW standards, which will ensure a quick and easy connection to existing and future services for all institutions.

This results in several advantages for the universities:

  • Easy use of services
  • Uncomplicated, joint use of non-web-based services in NRW with members of other universities
  • Learning of new technologies
  • Uniform understanding of roles and rights
  • Simple and secure transfer of roles and rights between universities
  • Standardized attributes
  • Differentiated status group membership
  • Less bureaucracy due to elimination of paper applications
  • Less effort in maintaining personal data and lifecycle management
  • Creation of a basic basis for participation in national and Europe-wide activities

Goal

The goal of implementation project phase is to finally realize and implement a federated identity management in NRW. Based on the rough concepts developed in the feasibility study, ready-made functional concepts will be designed with the help of use cases and made available to the universities in NRW. The aim is to agree on a NRW standard in certain IDM areas in order to make service use and service provision simple and available to all institutions.  

The project phase is divided into the following pillars and the associated responsibilities:

In addition to the technical component, coordination and agreement between the individual university institutions in NRW will also be an important factor. By revising the results from the feasibility study, definitions for central groups of persons will be determined. On the one hand, individual case decisions at universities will be identified and on the other hand, the handling of "alumni", "guests", etc. will be determined. For this purpose, a regular exchange with the universities is of central importance. They should then (voluntarily) agree to implement the results in their institutions.

 

NRW Subfederation

In addition to the coordination of central groups of people, a common attribution in the DFN AAI will take place with the DFN (pillar I). This includes the names, the technical form as well as the values of the attributes. This should result in a uniform standard for the universities in NRW. By involving the DH.NRW projects, the concepts will be tested on the basis of use cases.

Last but not least, a NRW subfederation is being set up at DFN, in which all universities in NRW can participate. The states of Schleswig-Holstein and Baden-Württemberg are also working on a FIDM. In this connection, it will be examined whether a FIDM is theoretically also possible throughout Germany. This would allow an even wider range of services to be offered and used. However, a concrete implementation is not yet planned at this point.

Throughout the project, it is important to involve the universities. Solutions that cannot be implemented in general are not effective. Therefore, self and external evaluations will be carried out after each milestone has been reached. On the one hand, they are carried out by the project team itself, and on the other hand, an evaluation of the universities in NRW is obtained in the form of workshops, which take place at least twice a year. This ensures an efficient benefit for all parties involved.

 

Alliance bwIDM and IDM.nrw

The already existing cooperation with the Karlsruhe Institute of Technology (KIT-SCC) will be intensified in this project. The universities in Baden-Württemberg are simultaneously planning the two-year follow-up project "bwIDM2" as a follow-up to "bwIDM". In the form of an alliance foundation bwIDM and IDM.nrw, the two projects from NRW and Baden-Württemberg will jointly develop concepts. The aim is to work synchronously in order to advance the project together. In the course of this, a joint further development of the existing bwIDM solution will take place in order to meet the requirements that are independent in both federal states. In this way, synergy effects that have not yet been tapped can be used. A joint requirements analysis will aim at mutually transferable blueprints for adaptable solutions at the respective locations. This will ensure cross-national cooperation and the fit of both concepts. Furthermore, the evaluation of new technologies will be in the foreground. This will involve the evaluation of new technologies on the market, using jointly defined and established evaluation criteria.

In addition, cooperation with Schleswig-Holstein, which is also planning a FIDM, is being sought. Interim & final results will be discussed in regular exchanges. In this way, the federal states are to benefit from each other's experience and support each other. Compatibility between the different concepts is also ensured in this way.

 

Technologies and implemenation

Furthermore, (new) technologies (pillars II and III) are evaluated, in case of mutual benefit also in cooperation with bwIDM2. In addition to reg-app, we also evaluate technologies around Shibboleth (e.g. multi-factor authentication, Open ID Connect). Subsequently, concepts for implementation are developed, which are tested in selected use cases. This will be done in cooperation with institutions in NRW (pillars IV and V). Among other things, mutual access to HPC clusters of RWTH and KIT will be tested.

The last step will be the realization and integration of the solution concepts in the consortium and the inclusion of further universities in NRW. With best practice examples and defined framework conditions, local IDM systems are to be integrated into the federation.

The developed (interim) results will be presented continuously on the website as well as in a wiki. 

Reults

Short survey on service usage among users of higher education institutions

The IDM.nrw consortium conducted a short survey on service usage in NRW among users of higher education institutions in NRW, especially those of the consortium. The aim was to gain an initial impression of whether there is interest in using remote services across universities. For this purpose, researchers and teachers from the universities were asked to participate in a short survey. Both closed and open-ended questions were used. A total of 349 members of higher education institutions participated in the survey, 302 of whom are research and/or teaching members.

The report on the brief survey "Bericht Kurzumfrage zur Servicenutzung bei Nutzer*innen" can be found here.

 

NRW Subfederation

The authentication and authorization infrastructure of the German Research Network (DFN-AAI) already offers the possibility to access web-based services across universities. It also provides an infrastructure and creates a trust relationship between organizations. IDM.nrw wants to complement this infrastructure and create NRW standards as well as enable cross-university access to non-web-based services. Therefore, a NRW subfederation has been established within DFN-AAI.

The subfederation will significantly simplify future service connections, as access to the subfederation only needs to be granted once. Participating universities in North Rhine-Westphalia (NRW) will no longer have to make individual agreements with the participating services. This applies in particular with regard to federal, European or worldwide federations.

The entity category "http://aai.dfn.de/category/idm.nrw-member" has already been established at DFN-AAI. The corresponding metadata is available here.

In order to participate in the NRW subfederation, only a head office in NRW is required. In the further course of the project, IDM.nrw will develop and announce recommendations and best practices for uniform attributes, central groups of persons, and role and rights management. This is intended to maximize the benefits for all parties involved.

To join the NRW subfederation, please contact Gabriel Guckenbiehl.

Services in NRW

Please click here.