Identity Federation Across Alliance Members

Mansfeld-Südharz, Germany - October 23, 2025

A single trust domain that keeps credentials local while letting users roam

Ask any county administrator how many passwords she remembers and the answer is a polite grimace: one for the ERP portal, another for the shared SOC dashboard, a third for the state procurement system, plus the rotating TOTP that never seems to sync when the train is late. Multiply that friction across 127 businesses, schools and municipal departments and you begin to understand why “forgotten password” is still the top ticket in every IT help-desk queue. The Cyber Resilience Alliance set out to eliminate that fatigue without exporting identity data to foreign clouds; the result is a federation fabric that feels like single sign-on to the user but behaves like a zero-trust mesh to the engineer—passwords are replaced by short-lived tokens issued by a trust anchor that physically sits in the same county whose boundary stones were laid in 1815.

The architectural choice was made early: no central IdP, not even a redundant pair. Instead, every participating organisation runs its own minimal SAML or OIDC provider inside a sealed Kubernetes namespace that the Alliance calls a “sovereign cell”. Each cell is bootstrapped with a side-car that holds two cryptographic artefacts: an Ed25519 signing key generated in an nCipher Solo+ HSM and a chain-agnostic X.509 credential signed by the County’s offline root CA kept in a vault under the finance department. The root private key never leaves the vault; a quarterly ceremony produces short-lived intermediate certificates that are hand-carried on encrypted USB sticks to each cell. Because the root public key is published in the Bundesanzeiger, any auditor can verify that a token signed by a school in Köthen ultimately traces back to a county-controlled trust anchor without ever transiting a commercial certificate authority outside German jurisdiction. The ceremony sounds quaint until you realise it removes the geopolitical leverage that a non-EU cloud provider could exert by simply revoking a tenant certificate.

Federation metadata is exchanged through a gossip protocol rather than a central registry. When the engineering firm in Sandersleben adds a new OIDC client for its GitLab instance, the cell broadcasts a signed metadata blob to three neighbour cells chosen by latency. Those neighbours validate the signature, cache the blob for twenty-four hours and forward it to their own neighbours, so within minutes every cell possesses a consistent view of reachable services without maintaining a single point of failure. The protocol is deliberately rate-limited to one update per cell per hour, making it impossible for a compromised node to flood the mesh with forged redirects. If a cell goes dark for more than six hours, its cached entries expire and the remaining nodes automatically quarantine any tokens that claim to originate from the silent cell, turning the disappearance of an identity provider into an incident-response signal rather than an outage.

User experience is intentionally boring. A teacher who wants to access the shared SOC dashboard clicks the same bookmark she has always used; the dashboard redirects her to her own school’s login page, already skinned with the school logo and language. After she enters her county AD password, the school cell issues a SAML assertion that contains only two attributes: a pairwise pseudonymous identifier and a locally defined entitlement string such as “teacher:science”. No e-mail, no surname, no birth date—those attributes never leave the organisational boundary. The assertion is wrapped in a JSON Web Token whose payload is encrypted to the dashboard’s public key, so even the school cell cannot read what it just signed. The dashboard decrypts the token, maps the entitlement to a role that grants read-only access to chemical-plant sensors, and opens the landing page. Total round-trip time: 780 milliseconds on a standard DSL line, fast enough that users stop noticing the redirect altogether.

"Sovereign identity feels like magic to the user, yet it is nothing more than a county-owned trust anchor and a few hundred lines of YAML."

The zero-trust layer kicks in every ninety minutes. Each token carries an expiry claim set to ninety minutes plus a random jitter of up to ten minutes to prevent thundering-herd re-authentication. When the dashboard wants to renew, it must present the still-valid token together with a fresh proof-of-possession of the user’s private key generated in the browser through the WebCrypto API. That key lives only in memory and is never exported, so a stolen cookie or XSS scrape is insufficient for renewal. If the renewal fails, the dashboard returns a 401 that triggers a silent re-authentication against the school cell; the user sees nothing unless she has closed the browser tab, in which case she is asked to log in again—no worse than the legacy password experience, but behind the scenes the alliance has just blocked lateral movement of a hijacked session.

Administration is handled through a single git repository that stores declarative manifests for every cell: which claims to release, which attributes to encrypt, which upstream factors to accept. A change request is nothing more than a merge request reviewed by two peers from different organisations; once merged, a continuous-delivery pipeline pushes the manifest to the target cell and updates the signed metadata blob automatically. Because the repository is public within the federation, any member can audit another member’s policy without asking for permission, turning compliance into a side effect of version control. The first time a county employee tried to add a plaintext mail attribute, the review bot rejected the commit and cited the federation charter paragraph that forbids export of personally identifiable data. The employee amended the commit within fifteen minutes; policy enforcement had occurred without a single meeting or e-mail.

Cryptographic agility is baked into the design. When the post-quantum transition inevitably arrives, the only component that needs replacement is the Ed25519 signing key inside each HSM; the gossip layer, the metadata format and the token encryption scheme are all algorithm-agnostic. We have already run a three-week pilot using CRYSTALS-Dilithium signatures embedded in X.509 v3 extensions, and the only observable change was a 40-byte increase in token size. No application code was touched, no user interface changed. That future-proofing means the federation can absorb quantum-resistant algorithms at the speed of firmware rather than at the speed of bureaucracy, a luxury rarely offered by proprietary identity clouds that tie cryptography to quarterly release cycles.

The economic footprint is modest but deliberate. A typical cell consumes two virtual CPUs and 4 GB of RAM—small enough to run on a fan-less Intel NUC bolted inside a utility closet, yet powerful enough to handle 2 000 concurrent logins during a ransomware exercise. The county reimburses each organisation 480 € per year for electricity, a line item that costs less than one annual Yubico token subscription and yet keeps the financial flow visible in municipal bookkeeping, ensuring that identity infrastructure is treated as public infrastructure rather than shadow IT. Over five years the aggregate power draw of all 127 cells is projected to stay below 70 megawatt-hours, less than the yearly consumption of the county’s Christmas-market Ferris wheel, demonstrating that sovereignty does not have to be traded against sustainability.

Perhaps the most subtle benefit is psychological. When users realise that their credentials never leave the county wire, the conversation shifts from “Why do I need yet another password?” to “Why doesn’t every service work like this?” That reframing turns identity from a burden into a civic feature, something the region offers its citizens rather than something IT imposes on them. The first mayor who experienced the flow asked whether the same fabric could be extended to library cards; the first school principal wanted to attach student portfolios to the same wallet. The federation had not planned to become digital infrastructure, but infrastructure is what you get when cryptographic trust becomes as mundane as street lighting—always on, never noticed, entirely local.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.