Presentation on theme: "From Identity and Authentication ‘point solutions’ to SOA and ESB – ‘NZ Gov’ IdM Architectural Thinking: Five Years On."— Presentation transcript:
1From Identity and Authentication ‘point solutions’ to SOA and ESB – ‘NZ Gov’ IdM Architectural Thinking: Five Years On
2The Dept. of Internal Affairs is.. New Zealand Government’s leader in identity management principles and processesAuthor of the NZ Identity Assurance Framework, & the NZ Evidence of Identity Standard – principles-based documents on best practice identity information managementHolder of authoritative information on New Zealand citizens – registers for births deaths, marriages, issues passports, citizenshipThe home of Government Technology Services (GTS), the All of government IT initiatives – centralised Authentication and Identity Verification Services (igovt since 2007), emerging federated services, collaboration services (Public Service Intranet since 2007), centralised IP and Telephony networks (one.govt since 2009 )
3Background: New Zealand’s culture, policy and legislation Privacy legislation (EU-like) e.g. citizen controls use of/ release of dataNo national ID or ID card, no exchange of biometricsLow national security or illegal immigration driversNo Inter-agency data matching excl. few exceptionsCitizen opt-in: Not compelled to use online servicesAgency opt-in: Not compelled to deliver via onlineLow risk, low budget approach (population: 4m)European models – ID card with card reader – Spanish Example (traditionally have always had ID cards and unique identifiers)US federal approach – in development, but it faces challenges of no central registries of information, everything fragmented by State. More likely that a private sector solution will be developed, e.g. out of medical, financial, given these are some of the few locations where identity information is collected nation wide – an economic (profit driven) imperative to get identity right.India – a unique ID for every member of the country – mass take upPuerto Rico birth certs case – High fraud in the system so voiding all issued birth certificates – and reissuing – but the process will still not eliminate fraud
4In NZ, Identity Management is for citizen service, not national security In contrast to countries with overriding national security issues, NZ’s Identity Management deployment is not designed for use in pursuit of national security.National security requirements are met through existing lawful/law enforcement channels.
5We start today’s story in 2005 but we actually started in 2002… Policy principles before architectural design.Cabinet approved policy principles in 2002 for authenticating people.SecurityAcceptabilityProtection of privacyAll-of-government approachFit for purposeOpt-in
6Government IdP-to-government RP is different to private enterprise… Public sector approach to Identity Management for service ≠ to Private Sector approachGovernment IdP-to-government RP is different to private enterprise…Implicit trustImplicit (and sometimes explicit) federationMinimal discovery – services are knownMinimal liability - Govt can’t sue itself (but citizens can use common law)Opportunity to scale up integration
12Our approach to online authentication Two foundation services – both centralised but separate – identity and logon managementSeparate who a person is (identity) - from logon management - from what they do (activity)Decentralise authorisation and role management out to the edge
13The Government Shared services vision Multiple All-of-Government ServicesBrowserIdentity Selector/Agent Mobile DevicesIdentity ProvidersAny PlatformAny OSAny IAM SolutionAny ProtocolSAML 2.0ID-WSFAttribute ProvidersApplicable agency becomesthe authoritative source
14In 2005 it was all about Authentication… Shared Authentication ServicesPersistent PseudonymsSAML 1.1 initially then SAML 2.0 in 2008
15In 2006 it was all about Identity... Shared Authentication ServicesPersistent PseudonymsIdentity via Browser SSO (SAML 2.0)The Shared Authentication Services become two, with the addition of the IVS.The Identity Verification Service (IVS) moves into Limited Service backed off (but securely separated from) the Passport Office.Think of the Passport Office as an authoritative source of information – in this case core administrative identity informationNote the use of SSO to sign onto the GLS and IVS in order to authenticate the user - as well as verify identity – to the agency prior to authorisation and access control.NZ participated in Liberty’s Interop in 2007 month with this approach.
16By 2007 it was all about authoritative sources(v1.0) Shared Authentication ServicesPersistent PseudonymsIdentity via Browser SSO (SAML 2.0)The Shared Authentication Services expands to provide information from other authoritative sources within government (‘attribute authorities’), delivering single or joined up services
17Enter GOAAMS…. G Government O Online A Attribute A Assertion M Meta S System
18…the Shared Services nirvana – GOAAMS Shared Authentication ServicesBrowserIdentity Selector/Agent Mobile DevicesIdentity ProvidersConclusion: A truly user centric approach..? Is it utopian? Maybe not.Any PlatformAny OSAny IAM SolutionAny ProtocolSAML 2.0ID-WSFAttribute Providers
22Identity Selector/Agent Mobile Devices No common identifierDuplicated contentMultiple data formatsLegacy technologyBrowserIdentity Selector/Agent Mobile DevicesIdentity ProvidersNot hereFocus was hereAttribute Providers
23We needed a ‘perspective’ shift... ‘citizen as a customer’ – authentication and identity important for security but a by-product for folks to get the serviceShift ….from ‘agency has these information assets’…. to ‘ citizens needs to conduct his life’ – leverage off joined-up government business casesdesign for scale, not for pilots
24Enter Service Oriented Architecture, Enterprise Service Bus and a service platform delivery model
25Use SOA and ESB as tools to... Retain all our privacy-aware best practice e.g. user directed consent and ‘pseudonymization’Keep it lightweightBusiness and data at the edge – in agenciesAvoid vendor product overbearance – look to fit-for-purpose open source and extend itBuild a multi-channel delivery platform, not a web portalDesign for the Cloud
26…the old model with the new ‘SOA’ look Service Delivery PlatformAggregated ‘account’ view of their relationship with governmentIdentity ProvidersSAML 2.0, WS-TrustSemantic mappingInternal system architecture is hidden from the Platform; each agency is treated as a ‘black box’ exposing well-defined services to the outside world via the Platform.Agencies in roles of both Attribute Providers and Business service Providers
27Service Delivery Platform Strawman Architecture Government Service Bus DescriptionThe GSB is a shared infrastructure to simplify and facilitate business transactions and service delivery between agencies.FrameworkThe GSB framework may be based on one or more ESB products/frameworks.Communication ModesThe GSB will support two modes of communication; synchronous and asynchronous:Synchronous transactions are initiated by partner agencies’ Web Service Consumers (WSC) targeted at partner’s Web Service Provider (WSP) endpoints for real-time transactions. Most transactions including real-time user interaction will be synchronous.Asynchronous transactions will be one of two kinds:Publish and Subscribe data services where the publishing partner drops information on the GSB and subscribed partner(s) pull information. A variety delivery options may be available: Guaranteed delivery, receipt notification, etc..Fire and forget business transaction exchanges mediated by a GSB orchestration component. The orchestration component would follow business rules to ensure a business transaction is correctly completed across different partners. Transactional integrity, rollback, confirmation, etc. would be managed by this component.Data in TransitThe data transiting the GSB will have these characteristics:Data will be in standards compliant format (CIQ, XBRL, etc.)Cross agency semantic agreement on meaning of data on the busOptional data integrity/confidentiality on messagesUser IdentityAn user token is included in messages pertaining to an individual. There are two types of token that can be used:Authentication tokens with the user’s Federated Logon Tag (FLT) a persistent pseudonymous identifier. This token is a SAML authentication statement created during logon service authentication and indicates that the user is participating in a transaction in real time.“Pseudentity” token with the user’s FLT. This is a SAML token that contains only the user’s FLT and indicates that the user is not participating in real time.Identity tokens are opaque in transit (see Data Manipulation section) and require the igovt STS map the FLT from one Identity Context to another.Data ManipulationAn igovt STS client component will assist in mapping user FLTs between Identity Contexts for GSB transactions pertaining to an individual. When an user token is included in a message carried over the GSB, the STS client component will translate that token, using the STS, into an opaque transit token.At the destination agency, an STS client will request that the STS decrypt the transit token and map the FLT into the destination’s Identity Context.Each Partner Agency may need specific adaptors to translate at protocol/syntactic level between GSB and the agencies services and/or applications.Each Partner Agency may need specific adaptors to translate data to/from agreed semantic format between the GSB and the agencies services and/or applications.TrustA single trust relationship between the partner agency and GSB will replace a multiplicity of trust relationships directly between agencies. Trust will be proxied between partner agencies with the GSB.GSB Questions/CommentsDo we need to implement the consent service to maintain privacy? If so, where does it belong?Will private sector ever play in this space? If that’s a possibility, does something need to be designed in from the outset?There are probably a lot of sector specific data standards that need to be identified/decided.Does there need to be a discovery service on the GSB?Do we need asynchronous services from Day 1?Does the Service Delivery Platform require orchestration?Lessons learned gleaned from Burton Catalyst conference say that an ESB is more about a SOA mindset and compliance with standards than buying and installing a product/suite. It is very easy to fall into the “let’s buy one of those and job done” way of thinking.More lessons learned… Bundled ESB suites are inflexible and generally require organisation to adapt to technology rather than the inverse. From an AoG perspective that’s probably a significant barrier.GSB AssumptionsSome form of consent service required for Pseudonity tokens and Async servicesStatefull web services not required (Fax Paradigm)
28What agencies get from the Government Service Bus... Service Delivery Platform Strawman ArchitectureWhat agencies get from the Government Service Bus...A single interface to send/receive information to other partnersSynchronous and asynchronous data services over OASIS Web Services (Stateful & REST-like)Publish & Subscribe servicesSyntax and protocol transformation & adaptation via the GSB Interface and App/Service InterfaceA way to transport and transform data between agency format and standards based GSB format (semantic mapping).An interface for each app/service published via the GSB
29Account Linking Service – the agency ‘Club’ analogy Service Delivery Platform Strawman ArchitectureAccount Linking Service – the agency ‘Club’ analogyDescriptionA service that simplifies a user’s provisioning into online govt services. This service is able to:query provisioning status of a user at partner agencies,assert user provided information to agencies,facilitate the collection of corroborating information from usersmaintain a collective view of the user’s status and communicate that view to partnersFrameworkALS is simple IdM Workflow processor. It relies on relationships with partners and user provided information to maintain identity relationships and status. Service will be based a standard information format for representing user provisioning status (SPML?) that includes information as to associated business processes.Central Service RequirementsExposes WS endpoints to:GetUsersClubStatus (pull collective view of user from ALS)AssertUsersPartnerStatus (push provisioning status to ALS – presumably to report a status change)Maintain each user’s collective provisioning status (as reported by partners)Executes collectively agreed business rules to create/maintain user status in clubDoes not determine provisioning status at partners (maybe execute business rules on behalf?)Expects to talk to Partner endpoint frequently for status updatesN.B. ALS doesn’t have a UI, provided via Service Delivery PlatformPartner RequirementsExpose a common set of WS endpointsGetUserStatus (pull user status from partner)AssertUserInfo (push user asserted info to partner)AssertALSInfo (push ALS summary view to partner)Maintain relationship between local users and FLTsMaintain information about non-ALS identity proofing / provisioning statusProvision, according to local business rules, based on information from ALS. This may include creating accounts with insufficient trust to actually deliver anything more than personalised information on the basis that trust will “accumulate” as the user interacts with service linkigovt RequirementsExpose IVS underlying services via GSB to allow user provisioning outside existing SAML process flow.May require special treatment from STS to enable generation of conditional user tokens.ALS QuestionsHow do we deal with changes to agencies identity requirements? Some of this needs to be expressed into the UI (new corroborating info?) All of this needs to be based on either easily configured or runtime parameters.Same question for agencies with different apps/services with different requirements.ALS will have to be delivered through the Service Delivery platform which is undefined… This leaves a pretty big, unknown requirement for connecting with that interface.Is the push of status to the ALS required?ALS AssumptionsALS interactions with IVS are addressed elsewhere.
30What agencies get from the Account Linking Service... Service Delivery Platform Strawman ArchitectureWhat agencies get from the Account Linking Service...A service that simplifies a user’s provisioning into online govt services by exposing WS endpoints to ‘pull’ and ‘push’ user status and asserted user information to:query provisioning status of a user at agencies,assert user provided information to agencies,facilitate the collection of corroborating information from usersmaintain a collective view of the user’s status and communicate that view to partnersA Framework that offers simple IdM Workflow processing, relying on agency relationships and user provided information to maintain identity relationships and provisioning status.igovt functionality by exposing Identity Verification services via the GSB to allow user provisioning outside existing SAML process flow.
31What’s next?There’s a lot to build/buy/rent - costing out a ESB/GSB & ALS without complete requirements!Build a Security Token Service (STS) - underwayBuild an Enterprise/Government Service Bus (GSB) - proposedBuild an Account Linking Service (ALS) - proposedBuild a UI for the ALS for users to change preferencesAgencies need to re-tool to be ‘SOA-like’ to join ‘the club’We don’t yet know what we don’t know!Continue participating in OASIS and other standardisation efforts: ‘learn-pilot-contribute’ – ‘learn-pilot-contribute’ e.g. write up as a use case for the ID-Cloud TC!