A User Centric and Claims Based Architecture for British Columbia
-
Upload
maya-glass -
Category
Documents
-
view
30 -
download
3
description
Transcript of A User Centric and Claims Based Architecture for British Columbia
Ian BaileyDirector Application ArchitectureOffice of CIO, Province of BC
A User Centric and Claims Based Architecture for British Columbia
AgendaBackground on BC & Use Cases
Connected WorkforceCitizen Centred Service
Authoritative Parties & Claims
IDM Architecture Project
IDM Pilots
Claims and Standards
Questions
Province of British Columbia
Here
Province of British Columbia
Western most province in Canada
4.4 Million Citizens
400,000 Businesses
2 Million workers
400,000 people participate in the delivery of public services
Two general use cases
Connected WorkforceMany public and private sector organizations Using different vendor productsSharing information for better outcomes
Citizen Centred ServiceProviding electronic services to citizensPrivacy, safety and ease of use
Connected Workforce400,000 member workforce
Approximately 500 public sector organizations
Government ministries, agencies & boardsHealth authorities and hospitalsSchool districts, universities, collegesMunicipalities, regional districtsCrown Corporations
1000’s Licensed professionals
10,000’s of contracted service providers
Connected Workforce“Information Sharing for better outcomes”
Workforce should be able to get access to the information they need to do their job.
An identity management eco-system is key to ensuring the right person has access to the right information, at the right time, and for the right purpose.
Connected Workforce 400,000 Businesses
They may have their own sophisticated IT infrastructures and have a username & password or smart card at their workplace
Or they may need a common Identity provider service
BCeID is our identity service
Number of Businesses
Siz
e o
f B
usin
ess
Federated Businesses
Common Identity Provider BCeID for small businesses
Citizen Centred Service4 Million citizens
A common Identity provider service for public services in any sector
BCeID is our service
Desire for additional featuresPrivacy protection and Minimal DisclosureInternet Safety
Authoritative Parties and Claims
Government is an authority for personal identification claimsGovernment is an authority for business identity claimsOrganizations are an authority for claims about their employeesProfessional bodies are an authority for claims about their membersIndividuals are the authority for some claims about themselves
BC Identity Management ForumSpring 2006April 2006 we brought together the
largest BC public sector organizations and our major IT suppliers
Invited them to work towards a solution that
Protects privacy & securityLeverages authoritative sources for identity information (claims)Scales to connect our workforce and the public
BC Identity Management ForumFall 2006
Engaged public sector CIO’s and architects
Contracted with Bell, CA, Deloitte, IBM, Microsoft, Nortel, Novell, Oracle, Siemens, Sun Microsystems, Sxip, and Telus
Sxip Identity to coordinate and manage forum
Develop an architecture for the two use cases
BC Identity Management ForumRequirements DocumentContents
An agreed lexicon of terms34 general requirements
Privacy best practices
Security gradient
Authoritative sources of identity claims
Loose coupling for scaling
http://www.cio.gov.bc.ca/idm/idm_forum/
BC Identity Management ForumArchitecture Document July 2007Contents
Background/methodology/principlesCore architecture interactionsAdditional use case interactionsStandards and architecture recommendations
http://www.cio.gov.bc.ca/idm/idm_forum/
Core Architecture
AuthoritativeParty(AP)
Relying Party(RP)
Identity Agent(IA)
Authoritiesrecognized to make claims
Request and accept claimsto satisfy local policy.
Facilitates and controlsthe distribution of claimsfor a principal.
Root Authorities/Trust ModelRoot Authorities/Trust ModelLocal
Policy
au
dit
log
Local
Policy
Au
dit
log
BC Identity Management Forum
Test/Pilot the two main use casesConnected workforceCitizen centred serviceUsing Information Cards
BC Identity Management ForumPilot 1 Connected WorkforceAccess to each other’s wireless LAN’s
using a Managed Information CardMicrosoft is providing software so that we can issue Managed Information Cards from 5 organizationsPing Identity is providing software for authenticating users with Managed Information Cards for WiFi accessTelus is hosting wireless authenticator
Corporate ADAuthoritative Party
(AP)
Shared AuthenticatingWeb Server
(RP)
Wireless LAN configured touse Authenticating Web Server and AP’s
Visiting user selects CorporateManaged Information Card
Internet
BC Identity Management ForumPilot 2 Connected Workforce
Access to a shared collaboration site using Managed Information Cards
Microsoft is providing software so that pilot users from 5 orgs can access a Sharepoint 2007 collaboration site with Managed Information CardsTelus is hosting the Sharepoint Site at their Calgary data centre.
Corporate ADAuthoritative Party
(AP)
Collaboration SiteSharepointWeb Server
(RP)
User selects CorporateManaged Information Card
Internet
BC Identity Management ForumPilot 3 BCeID Business usersIssue Managed Information Cards to
select business users.CA is providing software to authenticate and authorize users based on claims in Managed Information Cards.Microsoft software for Managed Information Cards for our business identity service www.bceid.caAccess to Sharepoint, Wireless, and a test web application.
https://www.bceid.caAuthoritative Party
(AP)
BCeIDPoint of Service
Relying Party(RP)
Issues managed cards
Verifies claims
Accepts managed cards
sends managed card
Visits BCeID service counter
Internet
Claims – a need for information standards
personal identification claimsminimal disclosure claimsassurance level claimsbusiness identity claimsclaims about employeesclaims about professionalsIndividuals are the authority for some claims about themselves
Questions?