Students want simple and secure access to web resources they need for their study, also to the ones located outside the university they are enrolled at.
Administrators of web resources want to provide secure access to users entitled to use their resource, with as low overhead as possible.
Without Feide, a user registers with each service he/she wants to access and usually gets for each service a new username and password pair, so-called credentials. The problems are obvious:
- Users have to deal with too many usernames and passwords, typically one pair for each service.
- Each resource administrator has to register the users on his/her own.
Feide simplifies the processes for all parties involved using the concept of federated identity management:
- A user registers only once - namely with his/her so-called home organization to which the user is affiliated.
This home organization is responsible for maintaining the user related information and provides the user with the credentials. Home organizations can be institutions like universities, university colleges, local and county governments (the school owners) etc.
- Authentication is always carried out by the user's home organization, which can also provide additional information about the user to the service upon servicess request and user's consent.
Like this, all Feide-enabled services are available to a user with a single set of credentials. At the same time, there is no need for service providers to register new users, because they get the required information directly from the user's home organization.
- An access control decision is made by the service based on the retrieved information about the user.
Thus federated identity management is based on the concept that services rely on user authentication at the user's home organization and they obtain from there some information about the user for its authorization decisions.
Feide uses this federated approach to guarantee that each party remains in control of the steps relevant to it:
- Home organizations register and authenticate their members
- Service providers define their access rules
Feide, on the other hand, operates the central log on components and supports both home organizations and service providers. This means, in practice, that all messages containing information about authentication and user information is sent through Feide. Feide enters contracts with all home organizations and service providers.