Development of a shared responsibility model between individual, organizational and state in order to support cross border and cross organizational federation on top of decentralized and self-sovereign identity (SSI).
Identity and access management solutions currently widely in productive use are based on protocols like OpenID Connect, SAML 2.0 and LDAP. Major identity management providers have invested in such federated identity solutions. Small and medium-sized enterprises (SMEs) and large enterprises alike use those solutions and are hesitant to switch to emerging decentralized identity technologies based on verifiable credentials (also known as Self-sovereign Identities - SSI). These technologies are rather new, could bear risks and a switch would require significant investments. Moreover, SSI and decentralized identity have yet to overcome some challenges, for example with regards to automated authorization and trust management. Still, SSI and decentralized identity are promoted by the European Commission as part of their digital strategy for Europe through initiatives like EBSI ESSIF and the EU Digital Identity Wallet (EUDI). Cloud and data exchange initiatives like Gaia-X and Catena-X use SSI/decentralized identity and Verifiable Credentials for their identity and access management. Hence, for the success of these initiatives, but also to make their potential available to SMEs as well as large enterprises, the transition from legacy federated identity systems to SSI and decentralized identity has to be facilitated. For this, we have to specify an innovative architecture that addresses the novel challenges around trust in cross border and cross organizational federations based on decentralized identities and develop a proof of concept demonstrating the viability of this solution.
The project builds on previous research by the project partners Huawei and Fraunhofer IAO. Fraunhofer brings in its ESSIF-TRAIN Open-Source technology to establish and manage trust in SSI ecosystems. The partners are developing an architecture for a middle layer of abstraction that does policy-based transformation of credentials to enable interoperability between legacy federated identity solutions and verifiable credential-based SSI/decentralized identity environments. This architecture is then implemented in a prototype (supporting Open ID Connect) and evaluated for different use cases in a federated data cloud context, such as Gaia-X, Catena-X, and other use cases incorporating cross border or cross organizational federation of identities in ecosystems. The evaluation of the developed technology for these use cases ensures its maturity and that there is an actual applicability of our innovation beyond the project in different areas. The result of the project will be discussed with the wider scientific and practice-oriented audience and made available to the developer community. Therefore, produced software will be published under an Open-Source license.
The solution that is being developed is a shared responsibility model between individual, organizational and state in order to support cross border and cross organizational federation on top of decentralized and self-sovereign identity (SSI). Its major component is a policy-based identity and trust middleware that automates the issuance, verification, and exchange of identity credentials between SSI/decentralized identity and federated identity management solutions while demonstrating compliance with eIDAS 2.0 and GDPR. Policies are leveraged to automate authorization as well as trust management, to include administrative requirements and delegation of authority. The approach demonstrates that coexistence of legacy centralized identity technologies with emerging decentralized SSI solutions is feasible. Weak spots of current SSI/decentralized identity solutions around automated authorization and trust management are addressed. Finally, Fed2SSI lowers the costs and risks of adoption for new data spaces such as Gaia-X that build on SSI and decentralized identity management.