From autumn 2022, eIAM will gradually move from virtual machines to the container infrastructure of the FOITT. With these moves, the functionality of today's eIAM Trustbrokers, which are responsible for identity and attribute brokering, must be migrated to eIAM's own development called the "Bundestrustbroker (BTB)". This container infrastructure with the BTB brings the following advantages:
Which functional requirements does the current BTB cover?
Replacement for the existing eIAM Trustbroker, which is based on Microsoft ADFS and operated on virtual machines.
Portal functionality for pre-authentication, the so-called Home Realm Discovery (HRD), so that the user can select IdPs (adopted from ADFS).
Possible filtering, conversion and enrichment of claims provider attributes with authorisation and other required authorisation data (adopted from ADFS).
New: supports single sign-on/single log-out between multiple relying parties based on SSO/SLO policies and own session tracking.
New: Possibility of a pre-authorisation functionality, e.g. if required access roles are missing during onboarding.
With the introduction of PEP functionality on the BTB, the eIAM architecture for standard eIAM integrations could be simplified, as dedicated PEPs are no longer necessary. Thus, all applications that are currently connected according to the standard "STS PEP pattern" can be migrated directly to the BTB (corresponds to approx. 70% of the applications connected today).
Which technical requirements does the current BTB fulfil?
It runs on a container platform for easy instantiation, rollover and scalability (Kubernetes, specifically FOITT Atlantica CCP cluster ccp05).
It supports Canary Deployment to check changes before they affect users (so testers can use cookies to check new versions before they are released)
Alignment of the technology stack with FOITT standards to optimise platform maintenance work (Java, Spring-Boot, Opensaml, Angular).
Development and configuration using the GitOps approach (operational framework) i.e. a complete and traceable setup in FOITT Bitbucket.
BTB Rollout for applications
BTB will be pro-actively rolled out and activated with the service release Syrah (PROD: 08.01.2023). With this further development of the Trustbroker as a federation component for eIAM, we are setting the course for the future. We are eliminating technological dependencies and reducing complexity in the eIAM architecture. At the same time, the further development enables the component to remain fit for important future requirements. The purely technical migration of an application to the BTB should be transparent for all applications and should be carried out without any disruptions.
