Frequently Asked Questions about the IDM System

The IDM system of TU Dresden (Novell Identity) consists of different components. Besides an application server and a web server, a directory server is also part of the system. It is only used internally and cannot be accessed from outside. The central LDAP directory service of TU Dresden is a seperate server application due to technical and organisational reasons. As well as the other central authentication services of the TU Dresden, the LDPA service is just another target system of the IDM system.

This is regulated in the Prescription for building and running an identity management system at the TU Dresden. A comprehensive convention is to only manage data which could be associated with identities as representations of persons and which are needed in at least two connected IT systems.

The IDM system and the central authentication services do not provide data for free use. The target systems receive exactly the data they need for their work. This affects both manner (which user attributes) and extent of the data (for which user). The data requirements need to be described by the target systems in an entry in the register of processing information.

The data transmission from the IDM system has to be applied for by the potential target system according to the standardized process of requirement management. After the incoming request the IDM and responsible people for the target system will figure out how to apply these requirements technically and organisationally together with the administrative department of information security. A necessary condition for data transmission to the target system is the creation of an entry in the register of processing information and an IT security concept.

If an IT system needs additional data that has not yet been managed in the IDM system, the standardised process of  requirement management needs to be taken. After incoming requirements, the responsibilities and competences for the required data and their security need to be figured out. The people responsible or the IDM system will support this solution.

Target systems can also be connected via Shibboleth-IDP or the central Active Directory. The way of connection will be determined individually according to process related and content regarding requirements of the target system. Also the IDM system has several basically different alternatives for direct connection to the target system. To guarantee an efficient management as well as a good performance such individual connections to the IDM system will be admitted only in exceptional cases.

The IDM system itself does not provide authentication services. It, however, pays commission for several central authentication services. The central LDAP directory service, Shibboleth-IDP and the central Active Directory are some of them.

Every available authentication service is specialised in commissioning particular IT systems. The following rules apply for the connection of target systems:

• Linux-based IT systems: connection via central LDAP directory service
• Windows-based IT systems: connection via central Active-Directory
• Web-based IT systems: connection via Shibboleth

In order to guarantee an efficient management and good performance, direct connections to the IDM system are only allowed in exceptional cases.

The central LDAP directory service is only readable. Changes are only applied by the IDM system. Writable directories are, however, possible in the directory hierarchy. If such a case meets the requirements of a target system needs to be figured out individually.