Identity Live London 2017 | Kenneth May

{{{

*Data Classification: Public – The information contained

in this document is intended for public use.

What have I got and where is it?

Identity, Attributes and UMA for a Pensions Dashboard

Kenneth May, Lead Architect, Origo

October 2017

Data Classification: Public*

2

Why the Pensions Dashboard?• 11 pension pots during an average career (DWP)

• Auto-enrolment: millions of new pension savers

• Very time-consuming to obtain pensions overview

• Lost pots, unclaimed pensions savings, dormant assets

• Complex landscape

• Freedom and choice: consumer expectation of control

• Consumer expectations rising given on-line experiences elsewhere

• Increasing longevity but decline of DB pensions in private sector makes better awareness of

retirement preparation key


3

What have I got and where is it?


4

About Origo

• Origo is a not-for-profit FinTech company dedicated to the Financial Services

industry

• Since 1989, Origo has been bringing the industry together to solve common

operational problems that cannot be addressed in isolation

• We provide operating efficiencies, lowering costs for market participants and

improving outcomes for consumers

• Collaboration is at the core of what we do

• We're owned by UK financial services groups and provide the essential services

that the industry needs


5

R&DPension Register

Service

OIX Pension Finder Alpha

Creating a Pensions

Dashboard

HMT/ABI Pensions Dashboard

Prototype Project

OIX Project

Digital ID for Pension

Dashboards

Origo PFS Phase 2

Project Background• Origo has contributed significant knowledge and

resource to all Dashboard related collaborative

projects


6


Prototype Project

OIX Project

Digital ID for Pension

Dashboards

Origo PFS Phase 2

Project BackgroundOrigo and ForgeRock

{{{




7

Prototype Project


8

HMT/ABI PrototypeComponents

Consumer

Smart phone Dashboard Native App

Browser Dashboard site

Pension Finder Service

Integration Service Provider ..n

Pension Provider 1 Pension Provider 2 Pension Provider 3 Pension Provider 4 Pension Provider 5 Pension Provider n……..

Integration Service Provider 1

Digital Identity Provider(s)


9

HMT/ABI PrototypeIntegrations

Identity Hub

Identity Provider

Providers

Operated by IDEMIA(Safran / OT-Morpho)

Access ManagementGateway

Business Layer / API Led Connectivity


ISPs


10

HMT/ABI Prototype: Video Demonstration

10 https://vimeo.com/211481791/07512a092a

https://vimeo.com/211481791/07512a092a

{{{



OIX Project & White Paper

11

Digital ID for Pensions Dashboards


12

OIX: Digital ID for Pensions DashboardsHypothesis

“To test how digital identities, which have

been certified against Government

standards, can be used to release attributes

from public and private sector sources. For

this project we will be using pensions data

where the user and their consent is at the

heart of the process”

http://oixuk.org/blog/2017/06/25/digital-id-for-pensions-dashboard/

http://oixuk.org/blog/2017/06/25/digital-id-for-pensions-dashboard/


13

• To access state pension, must be authenticated to LOA2 (as defined by UK Government)

• This implies GOV.UK Verify (or private sector equivalent)

• Granular, revocable, time-bound consent driven access to state pension data

• This aligns well with UMA

• Simple approach to finding private pension data

• Consistent approach to providing access to state and private pension data

• This implies same UMA approach for private pensions

OIX: Digital ID for Pensions DashboardsDrivers


14

• UMA is a protocol based on OAuth2 open standards for consumer authorisation

• UMA 1.0 approved in 2015 - implementations are emerging

• Origo’s Pension Finder Service (PFS) is a good reference implementation using ForgeRock technology

• The standards fit well with EU General Data Protection Reforms, in particular the new

“Transparency and Consent” requirements

• Consumers will be able to see information on where their data is being shared and control the

consent processes

OIX: Digital ID for Pensions DashboardsPositioning User Managed Access (UMA)


15

OIX: Digital ID for Pensions DashboardsIntroducing ‘Alice’

PFS Provider/ISP Gateway


small alice @ Provider:existing customer portal login (<LOA2)

AuthorisationServer

Resource Server

State Pension API Gateway

BIG ALICE @ Verify: (LOA2)

CHECK YOUR STATE PENSION API (via a DWP or HMRC API Gateway )

Resource Server


OIX: Digital ID for Pensions DashboardsUMA Scenario for PFS

3. Consumer pensions dashboard, adviser client management system (or any approved FinTechsoftware)

1. For a consumer pensions dashboard (client), alice is requesting party and Alice* is resource owner

*Alice@LOA2

16

2. For an adviser client management system, an IFABob is requesting party

5. ISP or Pension Providerregisters resources for protection at the authorisation server.

Unique ID used for accessing resource. Resource (data) is always held at the resource server (data controller).

4. Within an Attribute Exchange Hub (Pension Finder Service) – controls access to resources and federated authorisation for resource servers

Can I allow this requesting party at this client access to this resource?

PFS/AXH


17

• It is technically feasible to implement a private sector Verify Identity Hub that integrates with

existing GOV.UK Verify Identity Providers

• A target architecture has been defined with three key parts

• A draft profile for an open standard based on UMA has been developed that meets the DWP

indicative requirements for the release of State Pension data attributes

OIX: Digital ID for Pensions DashboardsOutcomes


18

OIX: Digital ID for Pensions DashboardsBenefits for launch

• A DWP and GDS approved design for secure access to State Pension data• Encourages adoption of private sector Verify at LOA2

• LOA2 is stronger than most identities in private sector IT environments

• Potential for Providers to retain existing ID&V investment and optimise user experience for security

interactions with private sector Verify

• Potential for simplified legal and regulatory framework• Aligns well with the new EU General Data Protection Regulation (GDPR)

• Consumer can control and monitor who sees their data from a central console

• Uses open standards (UMA is based on OAuth2) • No technical barriers, other than development effort, to FinTech sector adoption

{{{



Demonstration

19


20

DemonstrationOrigo PFS Phase 2

• HMT/ABI project has proven the basic architectural integration points

• The OIX Project set the direction for target state architecture

• Origo has worked on key topics and design principles for a target architecture that we believe will be

crucial to 2019 success

• Overall security architecture (aligning with OIX project outputs)

• Governance features of the PFS

• Performance design taking into account Privacy By Design

• Consent processes

• Systems Management APIs e.g. logging features

• Design optimisation for scalability at PFS, Dashboards, ISPs and PPs


21

• Enhancing the Pension Finder Service to

support Delegated Authority, an Attribute

Exchange Hub (AXH) and further advanced

features

DemonstrationOrigo PFS Phase 2 Consumer

(resource owner Alice)

Browser Dashboard Client: alice as requesting party Digital Identity

Providers via private sector Identity Hub

Origo AXH (incl PFS)

Origo ISPresource server

RS-ISP1

AuthorisationServer

(AS-PFS)

Origo Data Aggregation for Pension Providers OR real-time integration

Alice@LoA2

PFS Profiles

Find API

A. First time search or refresh

B. Subsequent direct request to resource


Consumer uses

Pensions Dashboard

Dashboard invokes Find

at PFS

PFS requires identity

assertion at LoA2

PFS Orchestrates Finds across

ISPs/PPs

Register resources at

AuthorisationServer

Return resource

locations to Dashboard

Dashboard requests access to resources

Resources (pensions)

returned to dashboard

Consumer controls access to

resources for 3rd parties

DemonstrationUMA Demonstration Scenario 1 – Consumer dashboard

22


DemonstrationUMA Demonstration Scenario 2 – Consumer shares access

Consumer decides to delegate access

Consumer selects Adviser

Consentstored at

AuthorisationServer

Consent policy sets

access rights

Adviser receives

notification of pension

shared (URI)

AdviserSoftware stores

the URI

Adviser can access

pension

23


DemonstrationUMA Demonstration Scenario 3 – Access by Adviser

Adviser Software tries to access

pension

The PFS requires

Adviser is authenticated

at Unipass

PFS seeks identity

assertion from Unipass

Unipassassertion

with Adviser attributes

Attributes & consent policy

checked

Adviser Software is given token

Adviser Software

uses token to access resource

Resource server

checks token is valid with the PFS-AS

Resource (pension) is supplied to the Adviser

Software

24

{{{



Summary / Next steps

25


26

SummaryPensions Dashboard – we’re ready for a 2019 launch…• The prototype was successfully delivered in March. Origo’s Phase 2 completed in

October.

• UMA Profile developed by DWP and refined via OIX workshops. Now implemented

• ABI managed Project Group has set out its recommendations

• Origo stands ready to deliver for a full launch and has worked with ForgeRock and

other partners to show that:

• The technology is no barrier!

• The Conceptual Architecture is feasible – Origo’s PFS is already integrated with multiple Dashboards,

Adviser Software Systems, Integration Services Providers and Pensions Providers


27

SummaryWorking with ForgeRock and UMA

• Pensions Dashboard is a valuable case study. As a relatively early adopter…• Excellent support from ForgeRock

• UMA hard to grasp initially but becomes easier

• Hard to demonstrate technical aspects to a business audience

• building a clear case for investment takes care and time

• OOTB Authorisation Server UI requires customisation for real-world use cases

• ForgeRock Access Management has been great for supporting SSO federation

• Product suggestions • Consider 2 versions of OOTB Authorisation Server UI:

• A ‘lite’ version that focuses only on sharing process would align better with POCs

• The full version is for admins and of limited use to non-expert consumers

• Comprehensive tooling to support development life cycle (e.g. purge of registered resources)

• Customisations (e.g. end points for Identity Gateway as resource server) should be

productionised

{{{



Thank you

For more information…

Kenneth May – [email protected]

28

0131 451 5181

www.origo.com

{{{



Thank you

For more information…

Kenneth May – [email protected]

29

0131 451 5181

www.origo.com

Identity Live London 2017 | Kenneth May

Technology

Transcript of Identity Live London 2017 | Kenneth May