A User Centric and Claims Based Architecture for British Columbia

Ian BaileyDirector Application ArchitectureOffice of CIO, Province of BC

A User Centric and Claims Based Architecture for British Columbia

AgendaBackground on BC & Use Cases

Connected WorkforceCitizen Centred Service

Authoritative Parties & Claims

IDM Architecture Project

IDM Pilots

Claims and Standards

Questions

Province of British Columbia

Here

Province of British Columbia

Western most province in Canada

4.4 Million Citizens

400,000 Businesses

2 Million workers

400,000 people participate in the delivery of public services

Two general use cases

Connected WorkforceMany public and private sector organizations Using different vendor productsSharing information for better outcomes

Citizen Centred ServiceProviding electronic services to citizensPrivacy, safety and ease of use

Connected Workforce400,000 member workforce

Approximately 500 public sector organizations

Government ministries, agencies & boardsHealth authorities and hospitalsSchool districts, universities, collegesMunicipalities, regional districtsCrown Corporations

1000’s Licensed professionals

10,000’s of contracted service providers

Connected Workforce“Information Sharing for better outcomes”

Workforce should be able to get access to the information they need to do their job.

An identity management eco-system is key to ensuring the right person has access to the right information, at the right time, and for the right purpose.

Connected Workforce 400,000 Businesses

They may have their own sophisticated IT infrastructures and have a username & password or smart card at their workplace

Or they may need a common Identity provider service

BCeID is our identity service

Number of Businesses

Siz

e o

f B

usin

ess

Federated Businesses

Common Identity Provider BCeID for small businesses

Citizen Centred Service4 Million citizens

A common Identity provider service for public services in any sector

BCeID is our service

Desire for additional featuresPrivacy protection and Minimal DisclosureInternet Safety

Authoritative Parties and Claims

Government is an authority for personal identification claimsGovernment is an authority for business identity claimsOrganizations are an authority for claims about their employeesProfessional bodies are an authority for claims about their membersIndividuals are the authority for some claims about themselves

BC Identity Management ForumSpring 2006April 2006 we brought together the

largest BC public sector organizations and our major IT suppliers

Invited them to work towards a solution that

Protects privacy & securityLeverages authoritative sources for identity information (claims)Scales to connect our workforce and the public

BC Identity Management ForumFall 2006

Engaged public sector CIO’s and architects

Contracted with Bell, CA, Deloitte, IBM, Microsoft, Nortel, Novell, Oracle, Siemens, Sun Microsystems, Sxip, and Telus

Sxip Identity to coordinate and manage forum

Develop an architecture for the two use cases

BC Identity Management ForumRequirements DocumentContents

An agreed lexicon of terms34 general requirements

Privacy best practices

Security gradient

Authoritative sources of identity claims

Loose coupling for scaling

http://www.cio.gov.bc.ca/idm/idm_forum/

BC Identity Management ForumArchitecture Document July 2007Contents

Background/methodology/principlesCore architecture interactionsAdditional use case interactionsStandards and architecture recommendations

http://www.cio.gov.bc.ca/idm/idm_forum/

Core Architecture

AuthoritativeParty(AP)

Relying Party(RP)

Identity Agent(IA)

Authoritiesrecognized to make claims

Request and accept claimsto satisfy local policy.

Facilitates and controlsthe distribution of claimsfor a principal.

Root Authorities/Trust ModelRoot Authorities/Trust ModelLocal

Policy

au

dit

log

Local

Policy

Au

dit

log

BC Identity Management Forum

Test/Pilot the two main use casesConnected workforceCitizen centred serviceUsing Information Cards

BC Identity Management ForumPilot 1 Connected WorkforceAccess to each other’s wireless LAN’s

using a Managed Information CardMicrosoft is providing software so that we can issue Managed Information Cards from 5 organizationsPing Identity is providing software for authenticating users with Managed Information Cards for WiFi accessTelus is hosting wireless authenticator

Corporate ADAuthoritative Party

(AP)

Shared AuthenticatingWeb Server

(RP)

Wireless LAN configured touse Authenticating Web Server and AP’s

Visiting user selects CorporateManaged Information Card

Internet

BC Identity Management ForumPilot 2 Connected Workforce

Access to a shared collaboration site using Managed Information Cards

Microsoft is providing software so that pilot users from 5 orgs can access a Sharepoint 2007 collaboration site with Managed Information CardsTelus is hosting the Sharepoint Site at their Calgary data centre.

Corporate ADAuthoritative Party

(AP)

Collaboration SiteSharepointWeb Server

(RP)

User selects CorporateManaged Information Card

Internet

BC Identity Management ForumPilot 3 BCeID Business usersIssue Managed Information Cards to

select business users.CA is providing software to authenticate and authorize users based on claims in Managed Information Cards.Microsoft software for Managed Information Cards for our business identity service www.bceid.caAccess to Sharepoint, Wireless, and a test web application.

https://www.bceid.caAuthoritative Party

(AP)

BCeIDPoint of Service

Relying Party(RP)

Issues managed cards

Verifies claims

Accepts managed cards

sends managed card

Visits BCeID service counter

Internet

Claims – a need for information standards

personal identification claimsminimal disclosure claimsassurance level claimsbusiness identity claimsclaims about employeesclaims about professionalsIndividuals are the authority for some claims about themselves

Questions?