Identity Live London 2017 | Kenneth May
-
Upload
forgerock -
Category
Technology
-
view
70 -
download
1
Transcript of Identity Live London 2017 | Kenneth May
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
What have I got and where is it?
Identity, Attributes and UMA for a Pensions Dashboard
Kenneth May, Lead Architect, Origo
October 2017
Data Classification: Public*
2
Why the Pensions Dashboard?• 11 pension pots during an average career (DWP)
• Auto-enrolment: millions of new pension savers
• Very time-consuming to obtain pensions overview
• Lost pots, unclaimed pensions savings, dormant assets
• Complex landscape
• Freedom and choice: consumer expectation of control
• Consumer expectations rising given on-line experiences elsewhere
• Increasing longevity but decline of DB pensions in private sector makes better awareness of
retirement preparation key
Data Classification: Public*
3
What have I got and where is it?
Data Classification: Public*
4
About Origo
• Origo is a not-for-profit FinTech company dedicated to the Financial Services
industry
• Since 1989, Origo has been bringing the industry together to solve common
operational problems that cannot be addressed in isolation
• We provide operating efficiencies, lowering costs for market participants and
improving outcomes for consumers
• Collaboration is at the core of what we do
• We're owned by UK financial services groups and provide the essential services
that the industry needs
Data Classification: Public*
5
R&DPension Register
Service
OIX Pension Finder Alpha
Creating a Pensions
Dashboard
HMT/ABI Pensions Dashboard
Prototype Project
OIX Project
Digital ID for Pension
Dashboards
Origo PFS Phase 2
Project Background• Origo has contributed significant knowledge and
resource to all Dashboard related collaborative
projects
Data Classification: Public*
6
HMT/ABI Pensions Dashboard
Prototype Project
OIX Project
Digital ID for Pension
Dashboards
Origo PFS Phase 2
Project BackgroundOrigo and ForgeRock
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
HMT/ABI Pensions Dashboard
7
Prototype Project
Data Classification: Public*
8
HMT/ABI PrototypeComponents
Consumer
Smart phone Dashboard Native App
Browser Dashboard site
Pension Finder Service
Integration Service Provider ..n
Pension Provider 1 Pension Provider 2 Pension Provider 3 Pension Provider 4 Pension Provider 5 Pension Provider n……..
Integration Service Provider 1
Digital Identity Provider(s)
Data Classification: Public*
9
HMT/ABI PrototypeIntegrations
Identity Hub
Identity Provider
Providers
Operated by IDEMIA(Safran / OT-Morpho)
Access ManagementGateway
Business Layer / API Led Connectivity
Pension Finder Service
ISPs
Data Classification: Public*
10
HMT/ABI Prototype: Video Demonstration
10 https://vimeo.com/211481791/07512a092a
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
OIX Project & White Paper
11
Digital ID for Pensions Dashboards
Data Classification: Public*
12
OIX: Digital ID for Pensions DashboardsHypothesis
“To test how digital identities, which have
been certified against Government
standards, can be used to release attributes
from public and private sector sources. For
this project we will be using pensions data
where the user and their consent is at the
heart of the process”
http://oixuk.org/blog/2017/06/25/digital-id-for-pensions-dashboard/
Data Classification: Public*
13
• To access state pension, must be authenticated to LOA2 (as defined by UK Government)
• This implies GOV.UK Verify (or private sector equivalent)
• Granular, revocable, time-bound consent driven access to state pension data
• This aligns well with UMA
• Simple approach to finding private pension data
• Consistent approach to providing access to state and private pension data
• This implies same UMA approach for private pensions
OIX: Digital ID for Pensions DashboardsDrivers
Data Classification: Public*
14
• UMA is a protocol based on OAuth2 open standards for consumer authorisation
• UMA 1.0 approved in 2015 - implementations are emerging
• Origo’s Pension Finder Service (PFS) is a good reference implementation using ForgeRock technology
• The standards fit well with EU General Data Protection Reforms, in particular the new
“Transparency and Consent” requirements
• Consumers will be able to see information on where their data is being shared and control the
consent processes
OIX: Digital ID for Pensions DashboardsPositioning User Managed Access (UMA)
Data Classification: Public*
15
OIX: Digital ID for Pensions DashboardsIntroducing ‘Alice’
PFS Provider/ISP Gateway
Pension Finder Service
small alice @ Provider:existing customer portal login (<LOA2)
AuthorisationServer
Resource Server
State Pension API Gateway
BIG ALICE @ Verify: (LOA2)
CHECK YOUR STATE PENSION API (via a DWP or HMRC API Gateway )
Resource Server
Data Classification: Public*
OIX: Digital ID for Pensions DashboardsUMA Scenario for PFS
3. Consumer pensions dashboard, adviser client management system (or any approved FinTechsoftware)
1. For a consumer pensions dashboard (client), alice is requesting party and Alice* is resource owner
*Alice@LOA2
16
2. For an adviser client management system, an IFABob is requesting party
5. ISP or Pension Providerregisters resources for protection at the authorisation server.
Unique ID used for accessing resource. Resource (data) is always held at the resource server (data controller).
4. Within an Attribute Exchange Hub (Pension Finder Service) – controls access to resources and federated authorisation for resource servers
Can I allow this requesting party at this client access to this resource?
PFS/AXH
Data Classification: Public*
17
• It is technically feasible to implement a private sector Verify Identity Hub that integrates with
existing GOV.UK Verify Identity Providers
• A target architecture has been defined with three key parts
• A draft profile for an open standard based on UMA has been developed that meets the DWP
indicative requirements for the release of State Pension data attributes
OIX: Digital ID for Pensions DashboardsOutcomes
Data Classification: Public*
18
OIX: Digital ID for Pensions DashboardsBenefits for launch
• A DWP and GDS approved design for secure access to State Pension data• Encourages adoption of private sector Verify at LOA2
• LOA2 is stronger than most identities in private sector IT environments
• Potential for Providers to retain existing ID&V investment and optimise user experience for security
interactions with private sector Verify
• Potential for simplified legal and regulatory framework• Aligns well with the new EU General Data Protection Regulation (GDPR)
• Consumer can control and monitor who sees their data from a central console
• Uses open standards (UMA is based on OAuth2) • No technical barriers, other than development effort, to FinTech sector adoption
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Demonstration
19
Data Classification: Public*
20
DemonstrationOrigo PFS Phase 2
• HMT/ABI project has proven the basic architectural integration points
• The OIX Project set the direction for target state architecture
• Origo has worked on key topics and design principles for a target architecture that we believe will be
crucial to 2019 success
• Overall security architecture (aligning with OIX project outputs)
• Governance features of the PFS
• Performance design taking into account Privacy By Design
• Consent processes
• Systems Management APIs e.g. logging features
• Design optimisation for scalability at PFS, Dashboards, ISPs and PPs
Data Classification: Public*
21
• Enhancing the Pension Finder Service to
support Delegated Authority, an Attribute
Exchange Hub (AXH) and further advanced
features
DemonstrationOrigo PFS Phase 2 Consumer
(resource owner Alice)
Browser Dashboard Client: alice as requesting party Digital Identity
Providers via private sector Identity Hub
Origo AXH (incl PFS)
Origo ISPresource server
RS-ISP1
AuthorisationServer
(AS-PFS)
Origo Data Aggregation for Pension Providers OR real-time integration
Alice@LoA2
PFS Profiles
Find API
A. First time search or refresh
B. Subsequent direct request to resource
Data Classification: Public*
Consumer uses
Pensions Dashboard
Dashboard invokes Find
at PFS
PFS requires identity
assertion at LoA2
PFS Orchestrates Finds across
ISPs/PPs
Register resources at
AuthorisationServer
Return resource
locations to Dashboard
Dashboard requests access to resources
Resources (pensions)
returned to dashboard
Consumer controls access to
resources for 3rd parties
DemonstrationUMA Demonstration Scenario 1 – Consumer dashboard
22
Data Classification: Public*
DemonstrationUMA Demonstration Scenario 2 – Consumer shares access
Consumer decides to delegate access
Consumer selects Adviser
Consentstored at
AuthorisationServer
Consent policy sets
access rights
Adviser receives
notification of pension
shared (URI)
AdviserSoftware stores
the URI
Adviser can access
pension
23
Data Classification: Public*
DemonstrationUMA Demonstration Scenario 3 – Access by Adviser
Adviser Software tries to access
pension
The PFS requires
Adviser is authenticated
at Unipass
PFS seeks identity
assertion from Unipass
Unipassassertion
with Adviser attributes
Attributes & consent policy
checked
Adviser Software is given token
Adviser Software
uses token to access resource
Resource server
checks token is valid with the PFS-AS
Resource (pension) is supplied to the Adviser
Software
24
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Summary / Next steps
25
Data Classification: Public*
26
SummaryPensions Dashboard – we’re ready for a 2019 launch…• The prototype was successfully delivered in March. Origo’s Phase 2 completed in
October.
• UMA Profile developed by DWP and refined via OIX workshops. Now implemented
• ABI managed Project Group has set out its recommendations
• Origo stands ready to deliver for a full launch and has worked with ForgeRock and
other partners to show that:
• The technology is no barrier!
• The Conceptual Architecture is feasible – Origo’s PFS is already integrated with multiple Dashboards,
Adviser Software Systems, Integration Services Providers and Pensions Providers
Data Classification: Public*
27
SummaryWorking with ForgeRock and UMA
• Pensions Dashboard is a valuable case study. As a relatively early adopter…• Excellent support from ForgeRock
• UMA hard to grasp initially but becomes easier
• Hard to demonstrate technical aspects to a business audience
• building a clear case for investment takes care and time
• OOTB Authorisation Server UI requires customisation for real-world use cases
• ForgeRock Access Management has been great for supporting SSO federation
• Product suggestions • Consider 2 versions of OOTB Authorisation Server UI:
• A ‘lite’ version that focuses only on sharing process would align better with POCs
• The full version is for admins and of limited use to non-expert consumers
• Comprehensive tooling to support development life cycle (e.g. purge of registered resources)
• Customisations (e.g. end points for Identity Gateway as resource server) should be
productionised
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Thank you
For more information…
Kenneth May – [email protected]
28
0131 451 5181
www.origo.com
{{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Thank you
For more information…
Kenneth May – [email protected]
29
0131 451 5181
www.origo.com