International Data Spaces
International Data Spaces

Identity Provider

Identity management with low organizational effort

The secure exchange of data between companies is a core feature of the International Data Spaces.

In practice, this exchange has presented a challenge for companies to date regarding federated identity management which often failed due to organizational and technical obstacles. The International Data Spaces provide identity management across companies according to modern standards with low organizational effort.

Each International Data Spaces connector has a private key with a corresponding X509v3 certificate (device certificate). In contrast to conventional PKI-based enterprise IDM systems, these static certificates are however used for authentication only and not for the exchange of identity attributes. Instead, these are exchanged using dynamic tokens that the connectors obtain from an attribute server. It administers self-descriptions and attested (certified) attributes of the connectors and issues tokens as needed for the required attributes of a connector. Issuing the static X509v3 certificates is therefore decoupled from identity attributes which may change over time (for example due to certification).

Dynamic Attribute Provisioning Service (DAPS)

DAPS is an attribute server that issues OAuth2 access tokens to International Data Spaces connectors. The connectors need these to access the services and data of other connectors. The Fraunhofer DAPS can be accessed at https://daps.aisec.fraunhofer.de and implements RFC7523 JWT bearer client authentication for OAuth2. This protocol allows the connectors to authenticate themselves on DAPS with their X509v3 certificate and to receive an access token in exchange which they can use to access other connectors.

Here, the decision about permitted access is not made by DAPS but always by the requested connector itself. DAPS merely administers the International Data Spaces attributes of the registered connectors.