Raj asked the following:
"1. Government's Identity Assurance program accepted eight IdP. I wonder whether all these eight IdPs have the same trust level? Or who will be responsible in defining the trust level for these IdP's? Why I am asking this is that you mentioned that during the federation of IdPs, DWP may only accept IdP account from IdPs who are above a certain trust level.
"2. It is always better to have a federated IdP system. Because users can store different identities in different IdPs. However, it is not clear, when user approaches DWP, does DWP get users identities from all IdPs in plain-domain?"
So, to that first point: will all IdPs offer similar trust levels, and who determines those trust levels? Bear in mind that we are talking about risk-based assurance* here, rather than the somewhat less sophisticated 'gold standard of identity' associated with the likes of the abandoned National Identity Scheme. For any given transaction, a Service Provider (relying party) will define the Level of Assurance (LoA) they require for that transaction. The transaction is then referred to the Federation Hub, which will offer the user access to those IdPs which have been certified to deliver services at or above the LoA requested. The user selects their chosen IdP, and either authenticates using their existing credential (for registered users), or undergoes the registration process (for unregistered users - more to follow in another post). The user's authentication can then be referred back to the Service Provider via the Hub, and the user and Service Provider are free to transact at the required LoA.
Whilst for the DWP implementation it is likely that all IdPs being able to deliver the relatively low LoA required to transact, as the ecosystem matures it would be reasonable to expect that some IdPs will be able to offer higher LoAs than others; for example, a social media logon is likely to have a lower LoA than a bank's customer backed by a face-to-face registration and check of identity documents. That said, in this situation the bank might encourage users to register at a low LoA, and then to upgrade their LoA at a later stage by providing further registration information.
The trust levels for these IdPs are defined in the Cabinet Office Good Practice Guidelines (GPGs) which include:
- Good Practice Guide: Requirements for Secure Delivery of Online Public Services
- Good Practice Guide: Authentication Credentials in Support of HMG Online Services
- Good Practice Guide: Validating and Verifying the Identity of an Individual in Support of HMG Online Services
These documents are in flux, and the Levels of Assurance defined therein will change as the system is developed.
As for who actually oversees the interoperable trust, that will be the duty of the Trust Framework, which will guide the commercial, technical and legal interoperability of the selected IdPs, and is being prepared by the Open Identity Exchange working with Cabinet Office, DWP and the IdPs (more on that in another post).
To Raj's second question then: When a user approaches DWP, does DWP get users' identities from all IdPs in plain-domain? I take it that you're asking about the Hub service by which the user might select their IdP for a given transaction. As already explained, the Service Provider (in this case DWP) is not involved in the selection of IdPs, which is the job of the Federation Hub. The user may select whichever IdP they choose, so long as it can complete an authentication to the required LoA, and the user may have as many (or few) IdP accounts as they wish; if I were to authenticate with Mydex on one transaction, I could return to DWP and use an Experian credential instead. DWP does not get to see which IdP has completed the authentication, but just receives assurance that it is an IdP it trusts.
For the next post, I'll look at the commercial model by which IdPs get paid, and the importance of branding.
* If a given use case only requires a low level of assurance, then the Service Provider should only request a low proof of ID. For example, if my bins haven't been emptied for three weeks then I shouldn't have to provide a credential derived from a passport and two utility bills just to ask them when they're going to collect.
[Please note these views are my own, and are based upon information available to me at the time of writing, and do not necessarily reflect the latest thinking in Cabinet Office or DWP]