GN4-3 project team
DFN/LRZScrum Master



Maarten KremersSURFNETTask Leader T4

Activity Overview


This activity is the continuation of the former IdP as a Service Business case activity, which goals and direction was fundamentally changed according to the IdP as a Service RfC. It is about designing an open source software targeted at NRENS that is capable of automating the process of deploying and managing IdPs. This software shall offer a platform that can be used by institutions to configure, create and deploy an IdP through an easy to use graphical user interface (GUI). Instead of just implementing such a software, an open design of such a platform shall be defined based on the features needed in the R&E community. This design shall be used to create a reference implementation for the open source community, but it will enable other vendors to offer similar products as well. 

The activity will contain the following tasks:

IdP as a Service Software Design

Creation of a software design package for a software solution that includes a specification and reference architecture. The specification will define the features and requirements needed according to a minimal viable product of an IdP as a Service platform in the context of Research and Education. Based on this specification a technical reference architecture will be designed, which supports these requirements and fits seamlessly into existing R&E software. This package will be validated by the eduGAIN community to make it the official reference design to be used in IdP as a Service offerings.

This way we offer value as we set the baseline for any requirements and potential procurement by NRENs or federations.

Creation of a Reference implementation

Based on the formerly created design, a reference software will be implemented. This reference implementation provides a simple, easily deploy-able solution that includes all specified features using the reference architecture. This solution will be provided to the community as a publicly available open source software including technical documentation. This software is intended to be used by NRENS to create their own IdP as a Service offering for institutions in their country.

There won't be any official product, service or software support provided by GÉANT. The further development of this reference design and software is up to the community. The usage of these resources won't be restricted, so everyone and every organization is free to build their own solution on top. This applies to non-profit organizations as well as commercial vendors, which may offer similar products.

  • Collect requirements from the R&E community
  • Define a software specification and design based on the community requirements
  • Develop a prototype that implements all basic requirements
  • Provide all basic required functionality
  • Gather initial feedback from potential users
Background information

Old activity description:  IdP as a Service Business case

IdP software:

Activity Details

Technical details

The the software created is based on the already existing open source software ( This software does already include a sound code base and was already used in production at

Technologies: PHP, Simphony, SimpleSAMLphp

Solution design:

The following key concepts and assumptions are taken into account by designing a solution:

  1. Remote user database
    An important architecture decision is to provide an interface to use a remote user database to provide user accounts to the system. The initial version will integrate only Microsoft Active Directoy (AD) and OpenLDAP (LDAP), because they are expected to be the most common choice and even available in small organizations, which are the main target group of the service. Several solutions were designed for the connection of remote databases (Remote user database solution design), which will be analyzed within the scope of the activity.
  2. Local user database
    Additionally to the option to use a remote database, there will be an integrated local user database including user management. This offer is aimed in particular at very small organisations, which have no user management in place right now. The user management offered will be a closed system, i.e. the customer will not have access to the user database. User administration is only possible via the integrated user administration. This ensures that the user data is managed correctly. If a customer wants to access the user data directly, a remote user database must be used under his control.
  3. Hosting
    The software is intended to be hosted by NRENS to provide a service to institutions within their federation. Regardless of the implemented user management system, the software will at least process user data even if they are not stored locally. In terms of data protection regulations, this makes the NREN a data processor. This means the NREN must implement appropriate security measures and host the software in a secure environment. The Incubator will provide the software only, no support or hosting guidelines will be provided. The institutions will remain the data controllers and therefore responsible for handling and managing their user data according to law.
Business case

The business case of this activity is to enable NRENS to offer an IdP as a Service solution by providing them a software solution that supports the automatic deployment and management of R&E compliant IdPs.

Data protection & Privacy
  • The software design generally allows compliance to CoCo and GDPR requirements.
  • The software itself is based on commonly used technologies and implements state of the art security measures to ensure security, privacy and data protection.
  • The implementation of security measures and compliance to privacy and local laws is up to the organization using the software to offer a service.

Definition of Done (DoD)

This activity is successfully finished when:

  • A feature specification of a software that supports an IdP as a Service offering is described
  • A technical design and reference architecture of the software is created
  • The specification and design package is published and verified by the community
  • A software prototype using the specification and design is implemented
  • The prototype is documented and publicly available
  • Changes are offered to the open source product


The aim of the Incubator is to deliver a sustainable open source software to the community.

The solutions created may be used by commercial vendors as well. Vendors are invited to (self) asses their service offerings against the specification and the results may be publish in our community. They may offer a solution based on the reference implementation, but now including support features and possibly additional technical features. However if they have another product they want to use that is fine as long as it meets the specification.

A long term goal is to gather organizations from the R&E community to take care of the software. A further involvement of the Incubator or the GÉANT project is not in scope of this activity. There might be consecutive activities started if demanded by NRENS.

Activity Results









(Attach any documents to this page to get them listed.)

  File Modified
File IdPaaS Screencast.webm Dec 11, 2019 by Michael Schmidt

  • No labels