1. Big Picture of Univention ID Broker#

The Univention ID Broker eases the integration between identities of learners and teachers managed by school authorities or federal states and the various service providers for educational purposes with respect to the data protection regulations in Europe.

Overview of the involved components of the ID Broker and external Systems

Figure 1.1 Overview of the involved components of the ID Broker and external Systems.#

To reach this goal the ID Broker ensures the following:

  • Single sign-on for end users between the IDP of a school authority’s IDP and service providers (educational SaaS offerings).

  • Only one configuration step to connect with the ID Broker both for IDPs and service provider. There is no need to configure each IDP with each service.

  • User identification uses service specific pseudonyms instead of global identifiers. Service specific pseudonyms prevent user profiles based on combined user activities in the different services.

  • To give end users a complete environment from scratch, service providers can retrieve information about the role and the courses of users.

  • To ensure data protection, the ID Broker environment only stores the user’s first name, last name, email address as well as the school class and school memberships.

The UCS@school components of the ID Broker, like the UCS@school Kelvin REST API, are built on top of UCS core components OpenLDAP, UDM and the UDM REST API. To learn more about UCS and it’s components, see Univention documentation.