Zentrum für Digitale Souveränität (ZenDiS)

Already in 2020, the IT Planning Council commissioned the Federal Ministry of the Interior and Community to develop and evaluate an open-source alternative for a digital office workplace for public administration. The background included a study conducted by PricewaterhouseCoopers that revealed an extremely high dependency of public administration on Microsoft Office solutions. In early 2024, the newly established Zentrum für Digitale Souveränität (ZenDiS) assumed responsibility for coordination and project management. Based on the dPhoenixSuite solution developed by the IT service provider Dataport, a web-based workplace was created in collaboration with a number of successful European open-source vendors, and officially launched as openDesk at the end of 2024. openDesk is available for download as source code from the open source repository Open CoDE and is offered by ZenDiS as software-as-a-service for public administrations.

Key aspects in the development of openDesk include: digital sovereignty through vendor independence, freedom of choice, participation in shaping the solution, and control. Moreover, the specific needs of public administration must be addressed, and modularity, interchangeability, and interoperability between components and with specialized procedures ensured through an open architecture and standardized, open interfaces. Further requirements include containerized deployment, accessibility, GDPR compliance, and adherence to both BSI security standards and the German Administrative Cloud Strategy.

Components of openDesk

openDesk brings together all essential office applications required by employees in public administration within a single, user-friendly interface. This includes the following functionalities, provided by various software vendors:

• Project management

• Task management

• Contacts

• Document editing

• Chat

• Calendar

• Wiki

• Email

• File storage

• Video conferencing

Users can access these features through an intuitively operated web portal after a Single Sign-on with their user account and password, allowing them to easily switch between applications. The individual components from different vendors are deeply technically integrated and work seamlessly together.

Nubus for Kubernetes Enables Integration

The Nubus Identity & Access Management (IAM) system from Univention ensures both secure and user-friendly access to functionalities for end users, and technical interoperability between the modules. For example, files from the “Nextcloud” cloud storage module can be made accessible and editable via the Groupware (OX App Suite) or the project management module (OpenProject). This is made possible by standardized interfaces as well as ready-made integration packages for open-source applications like Nextcloud and Open-Xchange.

This approach minimizes the effort required by end-user organizations for the introduction and operation of openDesk, while maintaining the flexibility to extend or replace modules within openDesk.

The modular development model of openDesk also offers clear benefits for application development. Many of the modules are based on open-source software that is actively developed outside the openDesk context as well. Thanks to the IAM integration, new versions of module software can evolve independently, without requiring changes to openDesk’s interfaces as a whole. This simplifies innovation adoption and improves integration between modules.

Project-driven Improvements

Nubus evolved from the long-established IAM software appliance Univention Corporate Server (UCS), which has been on the market for over 20 years. However, at the beginning of the project, UCS did not meet the requirements for operation in a Kubernetes environment and did not comply with the criteria of the German Administrative Cloud Strategy or BSI IT baseline protection (Grundschutz).

Therefore, a considerable initial effort was required to break down the IAM components of UCS into a scalable container-based architecture, which also necessitated new implementations of some essential features and interfaces.

Nubus Identity & Access Management

Today, Nubus IAM enables central administration of identities and permissions relevant to openDesk in a Kubernetes environment, including:

• Users & Groups

• Roles of users and groups within openDesk modules

• Permissions for accessing resources such as shared mailboxes or meeting rooms

User accounts are managed centrally by IT administrators through a web-based management console. Access rights can be controlled based on group memberships. Nubus also provides standardized interfaces to facilitate the integration of users, user groups, and permissions from external sources such as other directory services. This eliminates the need for manual or duplicate data maintenance, reduces administrative effort, and improves data quality.

User Web Portal for Easy Access to All Functions

The Nubus web portal allows users to centrally and conveniently access all applications connected to openDesk after logging in. For better clarity, users only see the applications for which they have access permissions. A single click on the corresponding tile opens the selected service – whether mail, calendar, documents, or video conferencing – in a new tab. Thanks to the integrated navigation menu present in every module, the visible applications remain accessible at all times, regardless of which module the user is currently working in.

Through a self-service feature, users can update their own profile information, such as contact details or profile pictures. They can also reset and change their password independently.

Identity Provider for Single Sign-On, Single Logout, and Two-Factor Authentication

The technical foundation for Single Sign-on (SSO) – logging in once with a user account and password for access to all openDesk modules – is the integration with an Identity Provider. Univention’s IAM also supports connections to external Identity Providers to enable integration with customers’ existing IT infrastructures.

To protect against cyberattacks, such as unauthorized account takeovers, Nubus implements brute-force prevention mechanisms. Login security is further enhanced by group-based two-factor authentication, using time-based one-time passwords (TOTP).

Additionally, the portal offers configurable features tailored to personal needs, such as a personalized greeting, a newsfeed with current environment updates, quick links to frequently used module features, and info links directing to resources like product documentation or the legal notice (imprint).

Kubernetes Ensures High Scalability and Compliance with BSI Baseline Protection and Administrative Cloud Strategy

The Univention components for Identity & Access Management, IT component integration, and the portal are implemented as containerized Kubernetes components, allowing openDesk to be operated either on-premises or as a cloud service by a hosting provider.

The containers provided for Nubus meet the requirements of BSI IT baseline protection and the German Administrative Cloud Strategy through:

• Separation of services into individual containers

• Support for service redundancy and scaling

• Minimized container sizes

• Supply chain protection through signed images and SBOMs (Software Bill of Materials)