Feide is a centralized identity management solution for the educational sector of Norway and is short for «common electronic identity management» (in Norwegian: «felles elektronisk identitetshåndtering»). The solution is widely used by universities, university colleges, high schools and lower education. With Feide, students and employees in the educational sector get one digital identity that gives them access to web services in the educational field.
Feide is technology and platform independent and offers all educational establishments common guidelines for identity management. A Feide name is valid throughout the Norwegian educational sector and can be used to login to all Feide services a person has access to. The Norwegian Ministry of Education and Research has chosen Feide as the sector’s identity management solution. Practically all students and employees now have a Feide identity. A Feide identity can be used for single sign on (SSO) to an increasing number of services connected to the central login service operated by Feide.
People that use web services in their daily work at schools and universities.
These are services using SAML (web only) or OIDC/OAuth applications (known as clients) offered to the educational sector. Examples of such services are learning management systems, digital learning resources, digital tests, registration systems, services selling student licences and so on.
The services are available for activation for chosen home organizations. Feide grants access to each service to specific home organizations. Further authorization (e.g. only employees should be given access) must be done by the service itself.
These are the educational institutions where students and employees have their daily work and their affiliation. For primary and secondary schools, the home organizations are local or county municipalities (in Norwegian: kommuner /fylkeskommuner). For higher education it is the university colleges and universities. Private school owners can also be Feide home organizations.
All users in Feide are affiliated with home organizations. This means that persons can only get a Feide identity by being a student or employee at a home organization.
These are the organizations developing and offering services in the Feide ecosystem. For OIDC/OAuth applications personal users can also register their services.
Third party APIs¶
A service provider can register an API, which can then be made available to other applications in the Feide ecosystem in a controlled manner. These APIs can also benefit from access control using Feide in a simple way.
In the Feide federation there is a single Identity Provider (IdP) – the central login service. This means that all the home organizations share one common IdP. All Service Providers (SPs) only connects to this IdP. This makes it very easy for SPs to reach many users by only connecting with a single IdP. Illustration 4 shows this.
Illustration 4: Feide architecture. The Feide keyhole symbolizes the IdP.
Note that this is from a technical point of view. SPs decide which organizations should be able to activate the service through Feide. If the service requires payment, formal agreements or contracts, the service provider has to communicate directly with home organizations.
What Feide provides¶
As mentioned in the previous section, Feide runs a central login service offering single sign on (SSO), and thus provides the participants privacy protection and security.
Central login service¶
The central login service acts as an intermediary in the authentication process between users, services, and home organizations. There is no central user store in Feide. All information about users is stored at and managed by the home organizations.
When a user logs in to a service with his Feide identity, the following steps take place:
The user accesses the service login page with a browser.
The service redirects the user to Feide’s login service.
The user enters the Feide username and password, which Feide sends to the user’s home organization.
Username and password are verified by the home organization, and, if they are verified by the home organization, the user’s personal data can be sent to the service via Feide. Each service receives only the personal data that the service and Feide have agreed on in advance.
To read about the actual message flow, see the Feide technical guide.
One of the major benefits of Feide is that it facilitates single sign on (SSO): A user may authenticate once for an entire work session. After logging in once, the user can access a number of services from different service providers without having to login to each one of them.
Another advantage is that the user never gives his or her username and password to the services. Instead there is one single login page for the user.
Authentication with OpenID Connect / OAuth 2.0¶
Feide offers OpenID Connect and OAuth 2.0 interfaces towards applications. End users may choose to authenticate using Feide, ID-porten, guest account, an international account (eduGAIN) or one of the supported social networks.
In Feide, a user’s relationship to schools, workplaces, classes, subjects and more are expressed as group memberships. Services can extract group information with an OIDC/OAuth protected API. Group information is populated from Feide, FSAT (Common Student Administrative Services in Norway) and ad hoc groups.
The API Gatekeeper allows third party data providers or API providers to simplify authorization and access control.
Requesting access and starting to use third party APIs on the Feide platform should be straightforward for application developers, allowing them to use the same access tokens.
As stated earlier – all personal data are stored and managed by home organizations and there is no central user store in Feide. In the process of becoming a Feide home organization, educational institutions have to ensure that their users’ personal data is correct and review their routines and guidelines for managing personal data according to Feide standards.
Feide is restrictive about distributing personal data to the services. Only personal data that is necessary for the operation of the service is released to a service. A Feide service is required to make a formal agreement with Feide specifying what personal data the service should receive. When a user logs in, only the personal data agreed on will be sent to the service.
Services integrated with Feide must be restrictive in how they treat personal data. Personal data should not be distributed further. If any personal data is saved locally, measures should be taken to make sure the data is kept correct and up-to-date.
One important security aspect of Feide is the distributed nature of the Feide solution. A service only receives information about the person who is logged in, and only the information that the service needs.
To provide a secure service, measures have been taken on many levels. The central Feide system is implemented on a robust platform and is subject to a strict operating and monitoring regime.