Keywords

1 Introduction

In learning systems and shared learning environments identity is the key concept around which other services revolve. Even when learning services are provided to anyone with no costs or other constraints, such as in the case of MOOCs, learners still need to be reliably identified and authenticated, and some of their attributes validated, e.g. names or e-mail addresses. In learning environments, the learners often face different authentication and authorisation systems that require the use of several means for electronic identification, and thus creating difficulties in maintaining the large number of credentials for a single user [1]. The current approach to dealing with these issues is the so called ‘federated identity model’ with ‘single sign-on’, which enables secure and uninterrupted services provision by employing a single credential. Security Assertion Markup Language (SAML)-based solutions, Open Authentication (OAuth) and OpenID [2, 3] enable the single sign-on process by allowing the identity provider to share the authentication and authorization information with the service providers. PKI-based models for identification of the learners are also used, for example in the MOOC environment [4].

When accessing cross-border learning services or collaborating with learners from other countries in shared learning environments other requirements need to be met, e.g. recognizing learners’ national identification means/credentials as valid abroad and making available the learner data in an electronic form from trusted sources. To solve these issues, at least on a continental level, European Union has been working for many years on an interoperability framework for electronic identity management [5] and aiming at improving the quality of student mobility. The efforts of several large-scale EU projects, such as STORK and STORK 2.0 [6,7,8], resulted in an infrastructure that is currently being put into production in the EU Member States.

Digital technology is crucial in further improvement of the learner mobility [9]. The majority of student exchanges between European higher education organizations take place under the Erasmus program (or now the Erasmus+ program), which began in 1987 [10]. It involves more than 4,000 universities, and every year, few hundred thousand students are allowed to study abroad (303,880 in 2015). Slovene higher education institutions participating in the program, for example, take slightly over 2,000 new students from abroad (2,248 in 2014 and 2,465 in 2015), while about 2,000 Slovenian students are given the opportunity to visit foreign universities (1,987 in 2014 and 2,084 in 2015) [11, 12]. European Commission set a goal in the Digital education action plans that by 2025, all students in Erasmus+ mobility should be able to have their national identity and student status recognised automatically across the EU Member States, including access to university services when arriving abroad (e.g., study materials, subscription services, libraries) [9]. The learners should also be enabled to identify themselves in “line with the once-only principle” and secure exchange and verification of learner data should be allowed [9].

To meet these objectives, the European Commission implements or co-finances various measures. One of them is the eID4U (eID for University) project from the Connecting Europe Facility (CEF) programme [13]. The goal of the project, which began on February 1, 2018 and is expected to be completed in autumn 2019, is to include higher educational institutions and trusted learner data sources in the eIDAS pan-European infrastructure and enable the infrastructure for learner cross-border electronic identification. The Slovenian part of this eIDAS infrastructure has been established in the second CEF project SI-PASS (Slovenian eIDAS node and integrated services) [14], which was coordinated by the Laboratory for Open Systems and Networks of the Jožef Stefan Institute and was completed in April 2019. The goal of the SI-PASS project (https://cef.si-pass.si) was to establish the central eIDAS node in Slovenia and to connect with the node various cross-border e-services of Slovenian public and private organisations. In the eID4U project, secure cross-border services (e-registration, e-login and e-access) will be further established, which will enable foreign users, for example exchange students, to easily use services (enrolment, learning environment) and wireless networks with national means of electronic identification. The project involves five EU institutions: Politecnico di Torino (Italy), Jozef Stefan Institute (Slovenia), Graz University of Technology (Austria), Universidad Politecnica de Madrid (Spain) and Universidade de Lisboa (Portugal). The solutions developed will also be suitable for other educational e-services accessed by the users from different EU countries.

This paper describes the eIDAS-enabled learning services and the benefits they bring to the learners and learning service providers, especially higher education organisations. The second section first briefly presents the legal basis for the identification of foreign users in EU and the technical infrastructure that enables such identification. An example of the use of infrastructure in education clearly shows its usefulness for the establishment of secure cross-border learning services. Section 3 deals with the challenges related to the availability and reliability of learner data, for example the students under the Erasmus+ exchange programme, and the use of cross-border learning services, while Sect. 4 proposes several solutions to improve those e-services. Finally, related work and other European Commission measures are presented.

2 EU eIDAS Regulation

In 2014, a new legal basis for the provision of secure cross-border electronic transactions was adopted in the EU Member States. It aims to ensure the proper functioning of the EU’s internal market and to achieve an adequate level of security for electronic identification and trust services [15]. The EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS), which entered into force on 1 July 2016, eliminates the existing obstacles to the electronic identification of users from abroad. Defined conditions for mutual recognition of electronic identification means also provide the basis for safer electronic commerce within the EU.

The regulation allows natural and legal persons to use certain national electronic identification means for access to public e-services, for example learning services, in other EU Member States. Examples of the means are national ID cards with digital certificates, digital mobile keys, and one-time password-based means.

2.1 Technical eIDAS Infrastructure

Technical infrastructure eIDAS provides a technical basis for the implementation of the eIDAS regulation. The infrastructure combines identity, service and attribute providers, and national eIDAS nodes from the EU Member States.

Identity Providers

Identity providers issue electronic identification means and authenticate users. They provide users with a secure electronic identity within the framework of the notified electronic identification schemes. Electronic identification means are more or less resistant to misuse and alteration of identities, so the level of trust in the identified e-identity of a service user largely depends on the type of electronic identification used [16]. Also, the consequences of potential abuses and irregularities in the identification and verification of identities can be less or more serious for different services. The assurance level (low, substantial or high) indicates the level of reliability that the electronic identification mean determines the person’s identity. It depends on the method of proving and verifying the identity of a legal or natural person at the time of registration (e.g., with an identification document without an image or with an image), the type of connection between the electronic identification means of natural and legal persons, the procedure of issuing, delivery and activation of electronic identification means, management of the means, resilience to security threats in authentication, management and organization procedures at the identity providers and technical supervision of the identity providers [16]. For example, a qualified electronic certificate issued on a smart card has a higher assurance level than a qualified certificate stored in a web browser, and the level of this certificate is higher than the password or Facebook and Google accounts.

Service Providers

Service providers are institutions, e.g. higher education organizations, that provide citizens with online services. Based on a verified user identity the service providers decide whether to grant access to the services or not and to what extent. The required assurance level of the identification means, selected by the service provider, depends on the consequences that could arise if the identity of the user was not correct. Those public service providers, e.g. learning service providers, requesting a substantial or high assurance level of the users’ identification means must from 29 September 2018 recognize the means issued as part of the notified schemes of other EU Member States [15]. For now, this is only a German national identity card, and in the last quarter of 2019, it will be necessary to recognize the identification means from Belgium, Estonia, Croatia, Italy, Luxembourg, and Spain. Other EU countries will soon follow.

Attribute Providers

Attribute providers are entities that manage electronic identity data (specific data describing this identity) that go beyond the minimum identification data set as specified in the eIDAS Regulation and presented in Sect. 3. Additional information (e.g., specific to the sectors such as e-learning, e-banking, or e-health) may be necessary to verify authenticity in certain circumstances or grant access to a service for a particular type of user (e.g., learners with valid student status).

Attribute providers should also be connected to the national eIDAS node, so that their data is available in the eIDAS network. Higher educational institutions are just one example of trusted attribute providers. Learning attributes include information on previous education (e.g., title obtained, information on the study program, length of study) for all who have already completed studies, information on the current study, information on the role of an individual, and other information.

eIDAS Node

The last infrastructure element is an eIDAS node that acts as the central point of trust in a country. On the one hand, it connects national infrastructure with foreign service providers, and on the other hand, national identity, attribute and service providers with the infrastructures of other EU countries. Since all national nodes form a circle of trust, it is sufficient that each service or attribute provider establishes trust only with a node in its own country. Educational service providers will thus not have to deal with the verification of identification means from abroad, but will leave this to the identity providers and national eIDAS nodes. Another authentication model, so called middleware model, is also being used in the infrastructure. As only one country is using it, it will not be further discussed in the paper.

The central node in Slovenia was established at the Ministry of Public Administration within the SI-PASS project. The Ministry also provides access to the Central Population Register, which serves as a trusted source of basic identification data such as name, surname, gender, date of birth, etc.

2.2 Use of the eIDAS Infrastructure in Higher Education

Figure 1 shows an example of the use of the eIDAS technical infrastructure in higher education. A learner from Slovenia wants to access a learning service in Italy, e.g. apply for a student Erasmus+ exchange. When registering for the exchange, she will use her Slovenian identification means, and at the same time provide the necessary evidence of the current and previous studies in an electronic way. The learner first tells the service provider her origin country. She is then being redirected by the Italian national eIDAS node to a similar node in Slovenia, and then to a Slovenian identity provider that verifies her identity on the basis of the provided identification means. Certified electronic evidence of academic qualifications is obtained from a home academic registry (attribute provider). The Slovenian national eIDAS node sends the collected identity and academic data to the Italian national node, and the data is then forwarded to the service provider. It should be emphasized that for the protection of personal data, the initiator of all actions is the learner alone. Likewise, the learner selects which personal information (qualifications) should be disclosed to the service provider and explicitly gives consent for their disclosure. In the next section, an example of learner data required for the student exchange service is analysed.

Fig. 1.
figure 1

Example of the use of the eIDAS infrastructure in education

Full size image

3 Learner Data in the Case of Students Exchange

3.1 Students Exchange

The Erasmus+ programme allows a student to perform part of the regular study obligations in the partner institution (host) abroad instead of at the home institution. Partner institutions are those institutions with which a home institution has signed a bilateral agreement on the exchange of students in a given academic year.

The exchange is a two-step process:

  • Student submits the application to the home institution

  • Student is registered at the host institution

For the registration of foreign students at the host institution in Slovenia, for example, the University of Ljubljana (https://studij.uni-lj.si/studexchange/tujci_prva.asp) and the University of Maribor have uniform registration pages for all their faculties. The student first enters the personal data, the name of the exchange program and the year of the foreseen exchange to obtain a unique code. Then, with the help of the birth date and the acquired code, she enters information about current and past studies and information about the exchange.

The expected advantage of using the eIDAS infrastructure in this process is for learners to use their national identification means for registration, and to obtain and provide the required data from trusted sources in electronic form instead of typing them into the form. This could reduce the time of entering the data in the registration forms and verifying their validity.

3.2 Sources of Learner Data

The data that learners must submit at registration for the Erasmus+ exchange can be divided into four groups: identification data, current study data, past performance data, and information on the proposed exchange.

Part of the identification data can be provided by the user’s origin country through the notified schemes, while the remaining data will have to be obtained from other sources. Data sources may vary, for example, a central population register for identification data, a higher education institution or other registers, such as the Slovenian Central Evidence System for Higher Education (eVŠ), for information on the current and past studies. The data may also be provided by students, for example preferences about the envisaged Erasmus+ exchange.

The following are briefly presented learner data needed at the time of registration, and the proposed sources of this information. Among the data sources in Tables 1, 2, 3 and 4, AP indicates an attribute provider, eIDAS the notified scheme of the EU Member State, and the student a student herself.

Table 1. List of identification attributes
Full size table
Table 2. List of the current study related attributes
Full size table
Table 3. List of the past study related attributes
Full size table
Table 4. List of the exchange related attributes
Full size table

Table 1 lists the identification data required by the higher education institution at the time of application. Some of them are already available in the eIDAS infrastructure itself. The European Union defines a minimum set of identification data that uniformly represent the natural and legal person [17]. Mandatory data for a physical person includes current name, current surname, date of birth, and unique identifier, while optional data are name and surname at birth, place of birth, current address, and gender. EU Member States are obliged to provide mandatory information on users of services, while it is their choice to provide the optional data or not. Thus, learning service providers can only expect mandatory data from other countries, even though some countries have announced that they will also include various optional data in their identification schemes. Croatia and Portugal, for example, will include all the optional data in their scheme, while Austria none of them.

The second set of data is related to the current study (Table 2) and the student’s home institution. The most reliable source of this data is the higher education institution or the central higher education register, such as eVŠ in Slovenia. To make this information available, the institution or central register must be included in the eIDAS infrastructure. Otherwise, the user must still enter the information in the application form by herself.

For student exchange, information on current degree, successfully finished studies and acquired competencies, such as foreign language skills, are also important (Table 3). Again, the most reliable data sources are the educational institutions the student attended or central registries.

The last set includes information on the proposed student exchange at the host institution (Table 4). In this case, data is not yet available in any of the information systems or registers, so they must be provided by each student.

4 Improvements

The proposed eID4U improvements aim at more reliable and simpler user identification through the eIDAS infrastructure and the acquisition of the highest possible volume of data electronically from reliable sources that are part of the infrastructure.

4.1 Upgrade of the eIDAS Node for the Needs of Education

The eIDAS infrastructure currently supports only a limited number of identification data to be exchanged through the eIDAS nodes. The current EU DIGIT reference implementations of an eIDAS node (latest versions 1.4.3 and 2.2, both released in September 2018) do not yet allow the identification and treatment of other (sector-specific) attributes except those from the eIDAS minimum data set.

The first eID4U improvement was therefore an upgrade of the eIDAS node (eIDAS-proxy and eIDAS-connector in Fig. 2). Support (marshaller and changed configuration) for additional academic attributes related to the current study, the learner’s home institution, information on current degree, successfully finished studies, and acquired competencies has been included in eID4U in the reference implementation version 1.4.3. The project has also defined an XML scheme and the XML definitions of the attributes, reusing some of the existing learning data schemes [18]. Examples of the defined academic attributes include HomeInstitutionName, HomeInstitutionIdentifier, CurentLevelOfStudy, FieldOfStudy, CurrentDegree or LanguageProficiency. The eID4U project partners have already set up modified eIDAS nodes, connected them into a test network, and tested their interoperability, i.e. that the academic attributes are successfully transferred through the network. An example of a modified eIDAS node is provided at https://eidas.e5.ijs.si/SP/.

Fig. 2.
figure 2

Schematic representation of the infrastructure

Full size image

4.2 Integration of Academic Attribute Providers

The second step was integration of the national academic attribute providers into the eIDAS technical infrastructure. AP Connectors have been developed to integrate higher education institutions and central education registries to the national eIDAS nodes. This connection can be achieved either through national eID proxies, such as SPID in Italy [19], or directly with the educational institutions and other trusted sources of academic attributes. In the case of Slovenia, the connector (SI-CAS proxy in Fig. 2), which has been integrated into the eIDAS node, connects directly to the national Evidence and Analytical Information System for Higher Education (eVŠ) and uses the eVŠ web services for accessing the academic attributes. The eVŠ system contains information on all study programs and enrolled students in Slovenian higher education organizations. The information includes, for example, the year of study, the field of study, the name and status of the higher education institution, the study program, the length of the program, the method of study, the date of the first enrolment, etc. Slovenian central authentication system (SI-CAS) plays role of an eID proxy that provides basic identification attributes, such as name, surname and eid.

4.3 Upgrade of the Learning E-Services

The last step was upgrade of existing learning e-services and procedures for registering and identifying learners from abroad. In Slovenia, for example, learning service providers can connect to the Slovenian eIDAS node in two ways: directly to the node or through the Slovenian central authentication system SI-CAS.

Learner Registration

The registration service is one of the most widely used services in educational institutions. The eID4U project results extend the systems and websites for registering learners with an additional login method called “eIDAS Login”. The foreign learner can use this method to register to learning services with her national identity. By clicking on the eIDAS Login button, the user is redirected to the eIDAS infrastructure where she uses her national means of identification as shown in Fig. 1 and described in Sect. 2.2. In addition, the required identification and academic data (data that have eIDAS or AP identified as source in Sect. 3.2) are automatically obtained from the academic attribute providers. The rest of the data, not available at the identity and attribute providers, still need to be entered manually into the registration system or web form.

Access to Learning Services and Learning Environments

For years Moodle has been one of the most widespread open source learning management systems with almost 100.000 registered sites and more than 147 million users.Footnote 1 The system supports different learning and administration services, such as learner administration, virtual learning rooms (courses) or learning content creation and administration, and different actors. Within eID4U, an open source plug-in for Moodle v3.6 has been developed that enables direct connection to the eIDAS node and identity verification using the eIDAS infrastructure. The user is given the appropriate role in the system and access to learning material is provided on the basis of national identification means and provided verified academic attributes. An example of the eIDAS-enabled Moodle installation (Fig. 3) can be seen at https://e-learn.e5.ijs.si.

Wireless Network Access

The last e-service, which is still being upgraded, is access to a wireless network at a foreign institution. Similar to the Eduroam network, the service will allow users to access the wireless network by electronic identification means issued under the notified eIDAS schemes. In contrast with Eduroam that serves academic users (students, professors) only, other users with valid national means of identification who are authorized to access the network, for example participants at the project meetings, conferences and other events, will also be able to seamlessly connect to the internet.

Fig. 3.
figure 3

Example Moodle login page with the eID4U Login button

Full size image

5 Related Work

In this section, we briefly present some other approaches that aim at facilitating learner identification and learner mobility in the future and reducing the burden of learning service providers. Most of the approaches are part of the actions implemented under the Erasmus+ and Connecting Europe Facility programmes.

Gerakos et al. describe the connection of the Erasmus exchange student identification service to the eIDAS node, however only with the use of a minimum set of identification data [20]. The Erasmus Without Paper project (EWP) [21] is preparing solutions for the safe exchange of student data. The EWP will link university student information systems into a single network facilitating the preparation of mutual cooperation agreements between institutions, informing selected students for exchange, and transfer of certificates of achievements in the ELMO format [21]. EMREX [22] is building a decentralized system designed to facilitate the transfer of achievements or learning outcomes from students who were abroad on exchange. A student in the information system of a home institution can choose a country and a foreign institution from which she wishes to transfer her achievements and identifies himself or herself with an identification institution for the institution or state at a foreign institution or national contact point covering several institutions at the same time. The selected achievements, written in the ELMO format and electronically signed, are then passed on to them and included in the home information system. Unlike eIDAS, the user needs more means of identification (one for each foreign institution or country). The aim of the European Student Card [23] project is to create a single student card in the form of a smart card for all European students. A student could have several student cards, one for each higher education institution to which she is enrolled. The card can only be used at those universities that recognize it. The ESMO project [24], co-financed by the Connecting Europe Facility, started on April 1, 2018. Its goal is to establish a central hub in each EU country, linking all higher education organizations in that country. The nodes will share data that are not already provided on the eIDAS network. The StudIES+ project [25] is implemented in the same program as the eID4U and ESMO projects. Its purpose is to facilitate the mobility of students in the European Union through a platform that will include digital services for students of higher education institutions accessed by electronic identity and provide an electronic signature, electronic seal and timestamp.

The largest identity inter-federation system in the area of educational institutions so far has been the eduGAIN service with 59 identity federations, 2986 identity providers and 2344 service providersFootnote 2. The service is worldwide and not restricted only to Europe. Two of the main differences with the described eIDAS infrastructure are lower levels of assurance of the identification means and an attribute scheme that is not suitable for some of the learning services presented in this paper. Nevertheless, there have already been attempts in the past to match the eduGAIN identities with the identities of the eIDAS infrastructure predecessors [6].

6 Conclusion

This paper presents the eID4U approach on improving the cross-border learning services and environments with eIDAS. The main eID4U contributions are integration of the sector specific attributes (academic attributes) into the EU reference implementation of the eIDAS node, integration of the trusted sources of academic attributes in the eIDAS infrastructure, and upgrade of the learning e-services with the mechanisms for easier registration and authentication of foreign users. Learning service providers, higher education organizations and learners will benefit from the established infrastructure and upgraded e-services.

Learning service providers can increase the level of reliability of user identity verification and increase the number of potential service users with learners from other EU countries. Identity checks are delegated to the identity provider, and the infrastructure itself allows the introduction of new services based on strong authentication and verified electronic evidence of academic qualifications. As national identification schemes usually cover the whole population in a country (e.g. with national id cards), the eIDAS-based approaches also significantly increase the number of users.

Accessing verified academic information in an electronic form simplifies certain administrative tasks, such as checking learner paper documents from abroad, and eliminates the possibility of errors in entering data in online forms. Higher education organizations that are included in the infrastructure as trusted sources of academic data on students and graduates enable them to access new cross-border services in other EU Member States. The infrastructure ensures that personal data is adequately protected and the learner decides which information she is willing to disclose.

The presented approach is currently limited to the European Union Member States. For wider coverage, an interoperable framework and federation with other infrastructures is needed, such as an attempt to match identities from eduGAIN and the large-scale pilot STORK project [6].