Global & National Identity Projects Failures and SuccessesGuy Huntington
- Large identity projects often fail due to poor requirements gathering, underestimating political and process challenges, and not addressing how changes may threaten existing revenue and control.
- To succeed, a program needs thorough requirements, separate but integrated projects, governance addressing politics, and an experienced blended team to build local expertise over time while delivering early wins.
- Programs should start small and underpromise to build support before pursuing ambitious goals.
Reviews current government challenges in receiving and making citizen payments
Presents a way for governments to make more money every day by leveraging citizen identity and the phone
Developing Countries National ICT Identity Governance StrategyGuy Huntington
Reviews the governance components required to successfully implement and maintain an e-government strategy:
* Identity data governance
* Identity infrastructure governance
* Laws and regulations governance
National Identity ICT Defence and Intelligence StrategyGuy Huntington
Examines:
* Significant risk of governments being held for ransom from malware attacks on their national ICT infrastructure
* Lays out high level requirements for:
- Privacy
- Malware and denial of service attack defence
- High availability
This presentation covers the challenges of:
* Most African governments struggle with people Illegally immigrating in and then masquerading as a citizen
* Voting irregularities
* Pretending to be students when they’re not
* Using dead citizen’s identities to then use them to access social programs
* Governments find the identity is effectively siloed in many different ministry databases and have problems with fake identity cards being used
Presents an integrated framework that not only addresses this BUT ALSO can be used for education, health and citizen payments
Lays out the effects of a national identity for a citizen’s lifecycle events including:
* Birth
* Vaccinations
* First day of school
* Health treatment
* Getting driver’s license and passports
* Changing name and gender
* Paying for government services taxes, fines
* i-Voting
* Moving within the country
* Claiming for social services
* Death
* Lays out existing healthcare delivery problems many developing countries have
* Presents a high level framework for an ICT health care strategy leveraging identity
National ICT & Education Strategy July 2016Guy Huntington
Presents the author’s own experience and efforts to change the Canadian education system
Warns countries of simply adding cost to their existing education and ICT budgets by adding technology if they don’t learn from past mistakes other countries have made
Presents a high level framework for an education strategy leveraging identity and ICT
Global & National Identity Projects Failures and SuccessesGuy Huntington
- Large identity projects often fail due to poor requirements gathering, underestimating political and process challenges, and not addressing how changes may threaten existing revenue and control.
- To succeed, a program needs thorough requirements, separate but integrated projects, governance addressing politics, and an experienced blended team to build local expertise over time while delivering early wins.
- Programs should start small and underpromise to build support before pursuing ambitious goals.
Reviews current government challenges in receiving and making citizen payments
Presents a way for governments to make more money every day by leveraging citizen identity and the phone
Developing Countries National ICT Identity Governance StrategyGuy Huntington
Reviews the governance components required to successfully implement and maintain an e-government strategy:
* Identity data governance
* Identity infrastructure governance
* Laws and regulations governance
National Identity ICT Defence and Intelligence StrategyGuy Huntington
Examines:
* Significant risk of governments being held for ransom from malware attacks on their national ICT infrastructure
* Lays out high level requirements for:
- Privacy
- Malware and denial of service attack defence
- High availability
This presentation covers the challenges of:
* Most African governments struggle with people Illegally immigrating in and then masquerading as a citizen
* Voting irregularities
* Pretending to be students when they’re not
* Using dead citizen’s identities to then use them to access social programs
* Governments find the identity is effectively siloed in many different ministry databases and have problems with fake identity cards being used
Presents an integrated framework that not only addresses this BUT ALSO can be used for education, health and citizen payments
Lays out the effects of a national identity for a citizen’s lifecycle events including:
* Birth
* Vaccinations
* First day of school
* Health treatment
* Getting driver’s license and passports
* Changing name and gender
* Paying for government services taxes, fines
* i-Voting
* Moving within the country
* Claiming for social services
* Death
* Lays out existing healthcare delivery problems many developing countries have
* Presents a high level framework for an ICT health care strategy leveraging identity
National ICT & Education Strategy July 2016Guy Huntington
Presents the author’s own experience and efforts to change the Canadian education system
Warns countries of simply adding cost to their existing education and ICT budgets by adding technology if they don’t learn from past mistakes other countries have made
Presents a high level framework for an education strategy leveraging identity and ICT
National identity strategy presentation may 10, 2016Guy Huntington
Based on my recent activities in Africa, I have updated my proposed national citizen digital identity strategy to include:
* Benchmark it against Estonia
* Include overview of the number of different RFP's required and show how they can be combined with local and off-shore suppliers
* Compare against what the World Bank's ID4D study recommends
Presentation on eGovernance and Open Governance products launched/under development in Moldova, in the context of building e-Democracy. 6th Internet Governance Forum, Kyiv, Ukraine, September 30, 2015
The document discusses ICT priorities and eGovernment research objectives in Bosnia and Herzegovina. It identifies the top ICT research fields and priorities for 2007-2013, including ICTs for government and eGovernment. It outlines three key eGovernment research objectives: electronic documentation and authentication, modernization of public administration via efficiency and transparency, and innovative ICTs for citizen involvement and access to services. The document also discusses challenges around institutionalization, infrastructure, electronic ID, and the need to reengineer public administration to fully realize the benefits of eGovernment.
This document provides an overview of a proposed loyalty card and authentication platform called LocPoi. The platform would use physical point of sale access points and customer cards to enable a secure authentication method between individuals and retailers. It analyzes the growth of e-commerce and issues with internet security. It then describes how the proposed loyalty program would work, including customer sign-up, a retailer management platform, and modules. Diagrams show the interfaces and management platform. Potential markets like medical, community rewards, and staff networking are identified. The development strategy and potential partners are outlined. Next steps are to confirm the proposed team and move forward.
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsTimothy Holborn
The document discusses challenges around privacy and data protection in the modern era of rapid technological change. It notes that key concepts like "data", "metadata", and "artificial intelligence" are not clearly defined in the 1979 Telecommunications Act and recommends updating the Act to address today's data-driven society. The document advocates for a decentralized, rights-based approach to "data democratization" to ensure data policies support societal advancement while protecting citizens' privacy and dignity.
feb 2018 - Sub22 - The impact of new and emerging information and communicati...Timothy Holborn
This document provides input to the Parliamentary Joint Committee on Law Enforcement regarding the impact of new information and communications technologies. It discusses issues with current law enforcement systems and platforms, and opportunities to incorporate web technologies to improve performance. Specifically, it argues that adopting machine-readable digital records and identity systems using cryptography and linked data could help address problems in areas like financial crimes, family law, and mental health responses. This would better equip law enforcement while promoting accountability and access to justice.
Feb 2020 - Senate Submission Financial Technology and Regulatory TechnologyTimothy Holborn
This document provides a submission to the Senate regarding financial technology and regulatory technology (FinTech and RegTech). It discusses the development of an "information bank" concept over 20 years to create a knowledge banking ecosystem built on open standards and a decentralized infrastructure. The submission argues this approach could provide an alternative that supports human agency, improves productivity, and addresses issues around surveillance, exploitation of knowledge workers, and challenges to liberal democracies from new technologies. It calls for governmental support to build new socio-economic cyber infrastructure through an international cooperative project.
Some simplified slides I developed to use in briefings and discussions about “data sharing” and the “data sharing” provisions in the Digital Economy Bill (now Digital Economy Act)
The document provides an overview of the Liberal Arts Association, which aims to build and support a digital "knowledge banking" platform. It discusses:
- The history of the concept starting in 2000, including early attempts to develop similar ideas and projects around content distribution and intellectual property protection.
- Previous projects by the author around 2000-2003 to develop digital content distribution systems, including one called "Basedrive" which was an early concept of cloud computing. These projects helped establish ideas and collaborations but did not succeed commercially.
- Ongoing challenges with protecting intellectual property, developing viable business models around digital content, and securing funding to progress ideas into practical systems and address issues like patenting.
Enhancing good governance and economic freedom of the Arab countries in the digital era
Prof. Andrzej Kondratowicz SWPS University and American Studies Center, University of Warsaw, Poland
Economic Freedom of the Arab World Conference, Amman, November 18-19, 2014
Legal Considerations of Digital Document Storage and E-Signature, Authority f...ImageSoft
This document discusses the legal considerations and security aspects of using electronic signatures and digital document storage in courts. It begins by outlining the cost savings and efficiencies that can come from transitioning to paper-on-demand systems and e-signatures. It then examines the legal foundation for e-signatures in international law, US federal law, and state laws like Oregon and Michigan. The document explores how to establish a robust legal framework and discusses characteristics that make records authentic, reliable, and usable over the long term. It also analyzes signature security technologies and processes. In conclusion, the presenter argues that e-signatures are legal, safe, and proven based on examples of courts currently using them.
This document discusses the concept of "knowledge banking" and establishing digital identity as a cornerstone service. It proposes a knowledge banking platform that would use semantic web technologies to provide accounts for storing and transacting intellectual capital. These accounts would mirror traditional banking by allowing storage, transactions, and other services for knowledge capital in a permissions-based system. The goal is to recognize and provide economic value for individuals' contributions online in the form of "knowledge capital" and establish a new framework for digital economies that links rather than duplicates data.
Building government e-services in EstoniaAndres Kütt
This document provides an overview of building e-government services in Estonia. It discusses the foundations of Estonia's e-government, including establishing trust between parties, requiring ubiquitous electronic identification, and allowing flexibility for change. It also describes Estonia's e-government architecture, including its use of electronic identity, delivery channels, integration platform, and infrastructure. Additionally, it addresses organizational infrastructure and governance for e-services, as well as information security concerns. Finally, it discusses understanding the ecosystem of stakeholders involved and how to join that ecosystem when developing new services.
The Internet of Things is an emerging topic of technical, social, and economic significance. Consumer products, durable goods, cars and trucks, industrial and utility components, sensors, and other everyday objects are being combined with Internet connectivity and powerful data analytic capabilities that promise to transform the way we work, live, and play. Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025.
Architecting a country: how Estonia built its e-government successAndres Kütt
This document discusses architecting a country's e-government systems and presents Estonia's approach. It introduces fundamental concepts for technical architectures and provides background on Estonia. The document proposes a meta-architecture framework with layers for electronic identity, delivery channels, integration, and infrastructure. Questions are posed for each layer to guide technical decisions. The framework is then applied to describe Estonia's technical architecture, focusing on its distributed but interconnected layers built around electronic IDs, web and mobile delivery, a service bus for integration, and consolidated but dispersed infrastructure.
UK Government identity initiatives since the late 1990s - IDnext 2015Jerry Fishenden
My presentation from IDnext 2015, the European Digital Identity Event. "UK government identity initiatives past, present, future: policy and technology perspectives"
Trust Factory is developing standards-based security technologies using linked data and open credentials to help individuals and organizations securely manage and share their digital records and data on the web. This includes enabling creators to assert rights over their data, describing data using ontologies to improve usability, and providing private and efficient access to verified information through user-defined sharing terms and permissions. The goal is to empower data owners to control how their data is used while supporting effective data storage, accessibility, and applications through open standards and decentralized technologies.
This document discusses the concept of an "inforg", which is defined as an informationally embodied organism or entity made up of information that exists in the infosphere. An infosphere refers to an environment populated by informational entities. The document suggests that an inforg can help individuals store and manage verifiable claims about themselves, their data, possessions, relationships, and identity. It poses questions about how a regulated knowledge banking industry could be established to ensure individuals maintain control and ownership over their own inforgs through independent information management systems. The goal would be to define how inforgs are stored, maintained, and used in a way that supports individuals' privacy, security, and participation in civic processes through defined knowledge fiduc
• Who we are. About Data Exchange m Agency, Our Activities and responsibilities.
• Shorty about cyber activities in Georgia, Legislation and Strategies and Actions.
• DEA Security and E-Government Projects.
• Information Security Activities.
By Irakli Lomidze
Identity Summit 2015: Connect.gov and Identity Management SystemsForgeRock
This session will concentrate on the Connect.gov cloud service, a federated identity effort being led by the United States Postal Service (USPS) and the benefits of this program to the federal agencies and to Identity Providers. We will discuss the technology behind Connect.gov service, and how the NSTIC guidelines and requirements were met by it.
In addition, we will cover how demands for pre-integration with popular identity and access management (IAM) platforms were met, addressing the U.S. Federal Identity, Credential and Access Management program (FICAM) requirements. In particular, the use case where ForgeRock IAM platform was integrated with Connect.Gov for managing user access to online government services will be described.
Public Sector Profile of the Pan-Canadian Trust FrameworkTim Bouma
The document discusses Canada's Pan-Canadian Trust Framework (PCTF) for enabling self-sovereign identity. The PCTF supports acceptance and recognition of digital identities and relationships. It is technology agnostic and encourages innovation. Key aspects of the PCTF include the normative core, mutual recognition process, supporting infrastructure, and defining roles and information flows. The PCTF model consists of several components and recognizes identity domains and digital representations. It also defines atomic processes that can be independently assessed and certified. The PCTF is being adopted incrementally in Canada and aims to facilitate transition to self-sovereign identity standards.
National identity strategy presentation may 10, 2016Guy Huntington
Based on my recent activities in Africa, I have updated my proposed national citizen digital identity strategy to include:
* Benchmark it against Estonia
* Include overview of the number of different RFP's required and show how they can be combined with local and off-shore suppliers
* Compare against what the World Bank's ID4D study recommends
Presentation on eGovernance and Open Governance products launched/under development in Moldova, in the context of building e-Democracy. 6th Internet Governance Forum, Kyiv, Ukraine, September 30, 2015
The document discusses ICT priorities and eGovernment research objectives in Bosnia and Herzegovina. It identifies the top ICT research fields and priorities for 2007-2013, including ICTs for government and eGovernment. It outlines three key eGovernment research objectives: electronic documentation and authentication, modernization of public administration via efficiency and transparency, and innovative ICTs for citizen involvement and access to services. The document also discusses challenges around institutionalization, infrastructure, electronic ID, and the need to reengineer public administration to fully realize the benefits of eGovernment.
This document provides an overview of a proposed loyalty card and authentication platform called LocPoi. The platform would use physical point of sale access points and customer cards to enable a secure authentication method between individuals and retailers. It analyzes the growth of e-commerce and issues with internet security. It then describes how the proposed loyalty program would work, including customer sign-up, a retailer management platform, and modules. Diagrams show the interfaces and management platform. Potential markets like medical, community rewards, and staff networking are identified. The development strategy and potential partners are outlined. Next steps are to confirm the proposed team and move forward.
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsTimothy Holborn
The document discusses challenges around privacy and data protection in the modern era of rapid technological change. It notes that key concepts like "data", "metadata", and "artificial intelligence" are not clearly defined in the 1979 Telecommunications Act and recommends updating the Act to address today's data-driven society. The document advocates for a decentralized, rights-based approach to "data democratization" to ensure data policies support societal advancement while protecting citizens' privacy and dignity.
feb 2018 - Sub22 - The impact of new and emerging information and communicati...Timothy Holborn
This document provides input to the Parliamentary Joint Committee on Law Enforcement regarding the impact of new information and communications technologies. It discusses issues with current law enforcement systems and platforms, and opportunities to incorporate web technologies to improve performance. Specifically, it argues that adopting machine-readable digital records and identity systems using cryptography and linked data could help address problems in areas like financial crimes, family law, and mental health responses. This would better equip law enforcement while promoting accountability and access to justice.
Feb 2020 - Senate Submission Financial Technology and Regulatory TechnologyTimothy Holborn
This document provides a submission to the Senate regarding financial technology and regulatory technology (FinTech and RegTech). It discusses the development of an "information bank" concept over 20 years to create a knowledge banking ecosystem built on open standards and a decentralized infrastructure. The submission argues this approach could provide an alternative that supports human agency, improves productivity, and addresses issues around surveillance, exploitation of knowledge workers, and challenges to liberal democracies from new technologies. It calls for governmental support to build new socio-economic cyber infrastructure through an international cooperative project.
Some simplified slides I developed to use in briefings and discussions about “data sharing” and the “data sharing” provisions in the Digital Economy Bill (now Digital Economy Act)
The document provides an overview of the Liberal Arts Association, which aims to build and support a digital "knowledge banking" platform. It discusses:
- The history of the concept starting in 2000, including early attempts to develop similar ideas and projects around content distribution and intellectual property protection.
- Previous projects by the author around 2000-2003 to develop digital content distribution systems, including one called "Basedrive" which was an early concept of cloud computing. These projects helped establish ideas and collaborations but did not succeed commercially.
- Ongoing challenges with protecting intellectual property, developing viable business models around digital content, and securing funding to progress ideas into practical systems and address issues like patenting.
Enhancing good governance and economic freedom of the Arab countries in the digital era
Prof. Andrzej Kondratowicz SWPS University and American Studies Center, University of Warsaw, Poland
Economic Freedom of the Arab World Conference, Amman, November 18-19, 2014
Legal Considerations of Digital Document Storage and E-Signature, Authority f...ImageSoft
This document discusses the legal considerations and security aspects of using electronic signatures and digital document storage in courts. It begins by outlining the cost savings and efficiencies that can come from transitioning to paper-on-demand systems and e-signatures. It then examines the legal foundation for e-signatures in international law, US federal law, and state laws like Oregon and Michigan. The document explores how to establish a robust legal framework and discusses characteristics that make records authentic, reliable, and usable over the long term. It also analyzes signature security technologies and processes. In conclusion, the presenter argues that e-signatures are legal, safe, and proven based on examples of courts currently using them.
This document discusses the concept of "knowledge banking" and establishing digital identity as a cornerstone service. It proposes a knowledge banking platform that would use semantic web technologies to provide accounts for storing and transacting intellectual capital. These accounts would mirror traditional banking by allowing storage, transactions, and other services for knowledge capital in a permissions-based system. The goal is to recognize and provide economic value for individuals' contributions online in the form of "knowledge capital" and establish a new framework for digital economies that links rather than duplicates data.
Building government e-services in EstoniaAndres Kütt
This document provides an overview of building e-government services in Estonia. It discusses the foundations of Estonia's e-government, including establishing trust between parties, requiring ubiquitous electronic identification, and allowing flexibility for change. It also describes Estonia's e-government architecture, including its use of electronic identity, delivery channels, integration platform, and infrastructure. Additionally, it addresses organizational infrastructure and governance for e-services, as well as information security concerns. Finally, it discusses understanding the ecosystem of stakeholders involved and how to join that ecosystem when developing new services.
The Internet of Things is an emerging topic of technical, social, and economic significance. Consumer products, durable goods, cars and trucks, industrial and utility components, sensors, and other everyday objects are being combined with Internet connectivity and powerful data analytic capabilities that promise to transform the way we work, live, and play. Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025.
Architecting a country: how Estonia built its e-government successAndres Kütt
This document discusses architecting a country's e-government systems and presents Estonia's approach. It introduces fundamental concepts for technical architectures and provides background on Estonia. The document proposes a meta-architecture framework with layers for electronic identity, delivery channels, integration, and infrastructure. Questions are posed for each layer to guide technical decisions. The framework is then applied to describe Estonia's technical architecture, focusing on its distributed but interconnected layers built around electronic IDs, web and mobile delivery, a service bus for integration, and consolidated but dispersed infrastructure.
UK Government identity initiatives since the late 1990s - IDnext 2015Jerry Fishenden
My presentation from IDnext 2015, the European Digital Identity Event. "UK government identity initiatives past, present, future: policy and technology perspectives"
Trust Factory is developing standards-based security technologies using linked data and open credentials to help individuals and organizations securely manage and share their digital records and data on the web. This includes enabling creators to assert rights over their data, describing data using ontologies to improve usability, and providing private and efficient access to verified information through user-defined sharing terms and permissions. The goal is to empower data owners to control how their data is used while supporting effective data storage, accessibility, and applications through open standards and decentralized technologies.
This document discusses the concept of an "inforg", which is defined as an informationally embodied organism or entity made up of information that exists in the infosphere. An infosphere refers to an environment populated by informational entities. The document suggests that an inforg can help individuals store and manage verifiable claims about themselves, their data, possessions, relationships, and identity. It poses questions about how a regulated knowledge banking industry could be established to ensure individuals maintain control and ownership over their own inforgs through independent information management systems. The goal would be to define how inforgs are stored, maintained, and used in a way that supports individuals' privacy, security, and participation in civic processes through defined knowledge fiduc
• Who we are. About Data Exchange m Agency, Our Activities and responsibilities.
• Shorty about cyber activities in Georgia, Legislation and Strategies and Actions.
• DEA Security and E-Government Projects.
• Information Security Activities.
By Irakli Lomidze
Identity Summit 2015: Connect.gov and Identity Management SystemsForgeRock
This session will concentrate on the Connect.gov cloud service, a federated identity effort being led by the United States Postal Service (USPS) and the benefits of this program to the federal agencies and to Identity Providers. We will discuss the technology behind Connect.gov service, and how the NSTIC guidelines and requirements were met by it.
In addition, we will cover how demands for pre-integration with popular identity and access management (IAM) platforms were met, addressing the U.S. Federal Identity, Credential and Access Management program (FICAM) requirements. In particular, the use case where ForgeRock IAM platform was integrated with Connect.Gov for managing user access to online government services will be described.
Public Sector Profile of the Pan-Canadian Trust FrameworkTim Bouma
The document discusses Canada's Pan-Canadian Trust Framework (PCTF) for enabling self-sovereign identity. The PCTF supports acceptance and recognition of digital identities and relationships. It is technology agnostic and encourages innovation. Key aspects of the PCTF include the normative core, mutual recognition process, supporting infrastructure, and defining roles and information flows. The PCTF model consists of several components and recognizes identity domains and digital representations. It also defines atomic processes that can be independently assessed and certified. The PCTF is being adopted incrementally in Canada and aims to facilitate transition to self-sovereign identity standards.
The Pan-Canadian Trust Framework (PCTF) for SSISSIMeetup
https://ssimeetup.org/pan-canadian-trust-framework-pctf-ssi-tim-bouma-webinar-59/
We are very proud to release a special webinar to introduce the next chapter of the “Self-Sovereign Identity Book” from two of the most eminent authorities on digital identity in government: Tim Bouma and Dave Roberts, senior public servants with the Government of Canada and major contributors to the Pan-Canadian Trust Framework (PCTF).
In this chapter, Tim and Dave explain the PCTF model and how it maps to the SSI model and the Trust over IP (ToIP) stack.
This webinar describes how a world leader in digital identity (which Canada has been for two decades) sees the opportunity in the new decentralized identity model represented by SSI (Self-Sovereign Identity).
apidays LIVE Hong Kong 2021 - Enterprise Integration Patterns for OpenAPI Ini...apidays
apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021
Enterprise Integration Patterns for OpenAPI Initiatives
Hieu Nguyen Nhu, Cloud Native Senior Technical Specialist at Microsoft
This document provides an introduction to APIs and microservices. It discusses how digital transformation is forcing businesses to change how they operate and engage with customers. Microservices break applications into small, independent services that work together. APIs act as the public interface of microservices. Well-designed microservices and APIs can help businesses achieve greater agility, faster delivery, and ability to manage complexity at scale.
This document outlines challenges and a proposed architecture for connecting government systems across central, state and local levels. It discusses problems with current paper-based and siloed systems, and proposes a shared architecture with common services, applications, identity management and data. Key elements include citizen and employee portals, centralized workflow, policies and master data, with local customization options. The goal is to move processes from manual to automated while integrating previously disconnected systems and stakeholders in a centralized way.
A single, all-encompassing engine, which provides companies & countries with all the information and access they require during this time of need to securely interact and act with communities and or individuals. The app contains platforms that bring together a range of services and for this specific use case COVID19 trustless immutable information environment.
Financial Event Sourcing at Enterprise Scaleconfluent
For years, Rabobank has been actively investing in becoming a real-time, event-driven bank. If you are familiar with banking processes, you will understand that this is not simple. Many banking processes are implemented as batch jobs on not-so-commodity hardware, meaning that any migration effort is immense.
*Find out how Rabobank redesigned Rabo Alerts while continuing to provide a robust and stable alert system for its existing user base
*Learn how the project team managed to achieve a balance between the need to decentralise activity while not losing control
*Understand how Rabobank re-invented a reliable service to meet modern customer expectations
The Role of Data Virtualization in an API EconomyDenodo
You can watch the webinar on demand here: https://buff.ly/2RQltuF
Digital transformation, even though a cliché, is definitely on top of every CEO's strategic initiative list. At the heart of any digital transformation, no matter the industry or the size of the company, there is an API strategy. Application programming interfaces (APIs) are the connection points between one application and another, and as such, they enable applications to build on each other, extend each other, and work with each other. Taken together, APIs represent a thriving ecosystem of developers that is showing no sign of slowing down.
Attend this webinar to learn:
• How data virtualization greatly enhances the capabilities of an API
• How data virtualization works as a service container, as a source for microservices and as an API gateway
• How data virtualization can create managed data services ecosystems in a thriving API economy
BarCamp Hong Kong 2015 - AuthBucket - Open Source Identity Management SystemWong Hoi Sing Edison
Edison Wong presents AuthBucket, an open source identity management system. He discusses his background in Drupal development and cloud computing. AuthBucket provides a single sign-on solution for managing user authentication across multiple websites, applications, and devices. Wong outlines AuthBucket's development roadmap, including alpha and beta releases, and plans for integration with Drupal 8 and mobile responsive interfaces. He invites participants to provide feedback and get involved on GitHub.
Building Upon Existing Infrastructure for Mobile ApplicationsAnthony Carlson
Has your company ever wanted to enter the mobile application space? What if your existing infrastructure could be your best asset. In 2013 Farm Credit Services of America (FCSAmerica), wanted to enter the mobile application space with a mobile app for customers. FCSA needed to change the thought process on designing a mobile infrastructure for this app. Yet reusing what already exists in the enterprise, but not just expose services to the world for mobile. This session will discuss the benefits, challenges and results of implementing a API Management solution into an existing infrastructure.
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
This presentation describes the token-agent implementation for openID Connect for authenticating native mobile apps provided by third parties. It presents a standards-based working solution for integrating loosely coupled native apps into a trust federation using. This allows for deeper integrated authentication services on Android and iOS without violating app-store policies.
This presentation has been part of the EduID Mobile App workshop at SWITCH on 25 Apr. 2017.
Thanks to Christoph Graf (SWITCH), Riccardo Mazza (USI), Michael Hausherr (FHNW), Goran Josic (USI), and Yann Cuttaz (USI).
Nowadays most components of a full identity infrastructure are available as Open Source components - and some even within The ASF: identity repositories, provisioning engines, access management systems.
Picking these bricks to realize a solution that will suit the wide-range ever-changing organizations' needs is a real challenge for all system integrators in the Identity & Access Management area.
Some real-word use cases and scenarios will be reviewed in this presentation to highlight strengths, flexibility and benefits - but also wicked problems and possible improvements - that Open Source Identity infrastructures can provide to organizations and final users.
The workforce is becoming increasingly mobile – at home through telecommuting, on business trips, in sales, and in servicing. There is also an increasing expectation by customers, suppliers and partners that business be conducted in real time. Research by AIIM indicates that at least 70% of organizations have deployed SharePoint in some shape or form over the past year. According to IDC, more than 1.19 billion workers of the global workforce, will be using mobile technology by 2013.
Has your organization responded to this growth in mobile workforce? Is your business content available and accessible from anywhere, on any device, and at any time? If not, why not?
Presentation Preview:
• SharePoint 2013 and various mobile options
• Device channels and responsive web designs
• Mobile BI architecture and development considerations
• How to go and solve the challenges in Mobile BI
This document discusses how a cloud native middleware platform can help solve issues with effective eGovernment systems. A cloud native platform provides an elastic, multi-tenant architecture that allows different government agencies to securely access shared services and data in the cloud. It also supports deploying common services for all agencies while allowing individual agencies to have their own unique processes and data. This type of platform enables central management of resources while giving individual agencies flexibility and isolation through tenant-level virtualization. It can help integrate scattered data repositories, enable transactions across agencies, and reduce costs through an on-demand, pay-per-use model.
[Workshop] Digital Transformation: Breaking Down Boundaries for Greater Conne...WSO2
This deck will cover the problem with running systems in isolation. how you can move away from isolated systems, an Introduction to the concept of services oriented architecture and integration hub, the benefits of sharing information and services, and will introduce the concept of API Management.
Phase two of OpenAthens SP evolution including OpenID connect optionEduserv
David Orrell, System Architect and Phil Leahy, Service Relationship Manager, talk about Phase II of the OpenAthens Cloud Service Provider project, and also about how OpenAthens is being used as an identity provider service in the corporate sector.
This document discusses platforms that enable innovation through open architecture patterns. It provides examples like TCP/IP, smartphones, Aadhaar digital identity platform, and UPI digital payments platform in India. These platforms follow principles of being minimal, standardized, unbundled, generalized, layerable and ecosystem-driven. This allows innovations to happen on both sides of the platform by applications/systems developers and device/network providers. The document outlines how Aadhaar identity platform with over 1 billion enrollments and UPI digital payments with over 250 million transactions per month have transformed financial inclusion in India through such open architecture approaches.
Similar to National Citizen Target SOA Architecture Sept 2016 (20)
One pager - "Trust in an Interdependent World" - October 2017Guy Huntington
“The information age has ushered in a networked and interdependent world, one in which challenges and opportunities appear and disappear faster than traditional organizational models can manage.” - Chris Fussell
We are living in an economic revolution, which is quietly disrupting almost all of our ways of doing things. Driven by electronic interdependencies between multiple parties, it requires trust.
Central to creating the trust is verifying who the identity is, accepting an authentication, and obtaining the identity’s authorization consent. Technology for interdependency, i.e. federation, is outpacing our ability to create this trust. New guidelines, laws, and regulations are required to leverage biometrics for identity verification.
Couple this with the advent of a miniature “Internet of Things.” Each of us will likely have hundreds of them. We will be required to provide our authorization consent allowing each device to work with other devices, identities, and/or enterprises.
The result? A revolution is upon us. It’s unlike anything we have ever seen.
Requirements for Successful Enterprises in a Federated Economy - October 2017Guy Huntington
An economic revolution is quietly occurring. It is built upon creating new, rapid interdependencies between enterprises, devices, and people. This allows us to analyze, optimize, prophesize, customize, digitize, and automate services. What most people and enterprises don’t understand are the requirements to be successful in this new world. That is what this paper addresses.
It is built upon trust. This paper identifies the foundational pieces required to create trust for an interdependent world:
• Identity verification
• Identity authentication
• Authorization consent
• Security
• Operational availability
Requirements for each piece are stated from the following perspectives:
• Users
• Third party (e.g. banks, telco’s, insurance companies, small businesses, et al.)
• Government (municipal, regional, state, and national)
• Identity verification and authentication service
The underlying infrastructure required for this interdependent world is complex. The paper illustrates this by examining the three main protocols required: OpenID Connect, OAuth, and User Managed Access.
It also discusses a potential downside of creating an interdependent world – creating a single point of enterprise and/or economic failure. A disturbing trend is the increasing size of botnet distributed denial of service attacks. The paper uses Estonia’s 2007 attack to illustrate this problem on a national scale.
Identity Federation: Citizen Consent and the Internet of Things - October 2017Guy Huntington
With nanotechnology, devices are shrinking down to an almost molecular level and have the ability to communicate wirelessly via the Internet. These devices are beginning to proliferate in almost all aspects of our lives be it medical, transportation, government, clothing, appliances, and so on.
Since device owners have to access many different systems to manage their authorization consents, it becomes unwieldly. This paper addresses the simple question of “How do I manage all my consents across a wide variety of different devices, suppliers, and their systems in one place?”
Identity Federation: Governments and Economic GrowthGuy Huntington
This paper illustrates how identity federation rethinks citizen interaction with government and third parties. It provides examples for finance, health, social services, drivers’ licenses, passports, different levels of governments, citizens’ changing addresses, and schools.
The net effects of identity federation are:
• A rapid increase in the speed of servicing a citizen via their cell phone
• Seamless interaction from the national identity verification service with governments and third parties
• Lower cost of service
• A citizen’s privacy is protected with their consent
• Economic growth
Identity federation = Biometrics and Governments Sept 2017Guy Huntington
We live in an increasingly small world with rapid technological changes. Our existing identity verification systems were designed for the early 1900s. This was long before the rise of the internet with the fast, easy movement of people between government borders, electronic identity federation between enterprises and genetic cloning.
The use of high identity assurance, i.e. strong identity verification, is required to accomplish things like citizens easily being able to use digital signatures, vote online, conduct large financial transactions, etc. It requires a trusted government issued identity, from the date of birth onwards through an identity’s life. We must re-design our systems to answer the question “How do I know if you are really you?” while protecting the citizen’s privacy and their biometrics. That's what this paper discusses.
Identity federation – Mitigating Risks and Liabilities Guy Huntington
When I go into enterprises deploying identity federation, I frequently tell my teams that I have four letters stenciled across my forehead: R I S K. To mitigate risk from federation requires an enterprise view of the risk from Legal, Governance, Business, and IT.
It has been my experience that Business and Legal don’t fully understand the risks involved, and instead trust their IT department to “handle it.” This is why I have written this paper. It is aimed at Business, Legal, and IT leaders within an enterprise that is either embarking on identity federation and/or expanding their use of it. By reading this paper, you will learn the types of things your enterprise should be doing to mitigate federation risks and potential liabilities.
Based on all my experience, i want to assist governments in creating a national citizen identity that will enable citizens to use the technology they have, the cell phone, to improve their lives. This high level overview outlines how by using their voice to authenticate, citizens can receive young children vaccination management, health and education management and pay for government services using their SMS Banking and telco e-wallet services.
Proposed country identity strategy july 24, 2015Guy Huntington
Based on all my experience, i want to assist governments in creating a national citizen identity that will enable citizens to use the technology they have, the cell phone, to improve their lives. This high level overview outlines how by using their voice to authenticate, citizens can receive young children vaccination management, health and education management and pay for government services using their SMS Banking and telco e-wallet services. As well the slides also show how governments can use this to make and save money.
About Potato, The scientific name of the plant is Solanum tuberosum (L).Christina Parmionova
The potato is a starchy root vegetable native to the Americas that is consumed as a staple food in many parts of the world. Potatoes are tubers of the plant Solanum tuberosum, a perennial in the nightshade family Solanaceae. Wild potato species can be found from the southern United States to southern Chile
Synopsis (short abstract) In December 2023, the UN General Assembly proclaimed 30 May as the International Day of Potato.
Donate to charity during this holiday seasonSERUDS INDIA
For people who have money and are philanthropic, there are infinite opportunities to gift a needy person or child a Merry Christmas. Even if you are living on a shoestring budget, you will be surprised at how much you can do.
Donate Us
https://serudsindia.org/how-to-donate-to-charity-during-this-holiday-season/
#charityforchildren, #donateforchildren, #donateclothesforchildren, #donatebooksforchildren, #donatetoysforchildren, #sponsorforchildren, #sponsorclothesforchildren, #sponsorbooksforchildren, #sponsortoysforchildren, #seruds, #kurnool
AHMR is an interdisciplinary peer-reviewed online journal created to encourage and facilitate the study of all aspects (socio-economic, political, legislative and developmental) of Human Mobility in Africa. Through the publication of original research, policy discussions and evidence research papers AHMR provides a comprehensive forum devoted exclusively to the analysis of contemporaneous trends, migration patterns and some of the most important migration-related issues.
United Nations World Oceans Day 2024; June 8th " Awaken new dephts".Christina Parmionova
The program will expand our perspectives and appreciation for our blue planet, build new foundations for our relationship to the ocean, and ignite a wave of action toward necessary change.
This report explores the significance of border towns and spaces for strengthening responses to young people on the move. In particular it explores the linkages of young people to local service centres with the aim of further developing service, protection, and support strategies for migrant children in border areas across the region. The report is based on a small-scale fieldwork study in the border towns of Chipata and Katete in Zambia conducted in July 2023. Border towns and spaces provide a rich source of information about issues related to the informal or irregular movement of young people across borders, including smuggling and trafficking. They can help build a picture of the nature and scope of the type of movement young migrants undertake and also the forms of protection available to them. Border towns and spaces also provide a lens through which we can better understand the vulnerabilities of young people on the move and, critically, the strategies they use to navigate challenges and access support.
The findings in this report highlight some of the key factors shaping the experiences and vulnerabilities of young people on the move – particularly their proximity to border spaces and how this affects the risks that they face. The report describes strategies that young people on the move employ to remain below the radar of visibility to state and non-state actors due to fear of arrest, detention, and deportation while also trying to keep themselves safe and access support in border towns. These strategies of (in)visibility provide a way to protect themselves yet at the same time also heighten some of the risks young people face as their vulnerabilities are not always recognised by those who could offer support.
In this report we show that the realities and challenges of life and migration in this region and in Zambia need to be better understood for support to be strengthened and tuned to meet the specific needs of young people on the move. This includes understanding the role of state and non-state stakeholders, the impact of laws and policies and, critically, the experiences of the young people themselves. We provide recommendations for immediate action, recommendations for programming to support young people on the move in the two towns that would reduce risk for young people in this area, and recommendations for longer term policy advocacy.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOChristina Parmionova
The 2024 World Health Statistics edition reviews more than 50 health-related indicators from the Sustainable Development Goals and WHO’s Thirteenth General Programme of Work. It also highlights the findings from the Global health estimates 2021, notably the impact of the COVID-19 pandemic on life expectancy and healthy life expectancy.
National Citizen Target SOA Architecture Sept 2016
1. National Target SOA Citizen Identity Architecture
Guy Huntington, President, Huntington Ventures Ltd.
September, 2016
2. National Target
SOA Citizen Identity Architecture
• This deck lays out a target SOA citizen identity
architecture for your country
• A target architecture provides the starting
framework
• The final architecture will be decided by you folks
and approved by the government
• There will be additional architectures for the
payment systems
• So, this is a good place to begin but not to end…
3. Nearly 20 Years Ago…
• Many Fortune 500 companies and only a few governments realized that
single identity was a critical cornerstone piece of their digital strategies
• Without this, no SOA and portal strategy would work, since having
multiple identities for the same person would not allow for seamless
digital and in-person services
• Further, they also realized that having a common access service is
dependent upon having a unified identity
• In my own case, at Boeing, in the early 2000’s, we implemented a
unified identity and access management infrastructure and then
integrated into this several large portals with more than one million
users as well as 1,500 applications. In parallel, they then developed a
SOA architecture based on the identity infrastructure
• An old Burton Group target architecture, from this time, illustrates this
showing identity, provisioning and access management all running as
SOA web services (they were the original consulting group who
pioneered SOA identity services)
4. • An old Burton group target architecture from
nearly 20 years ago illustrates this showing
identity, provisioning and access management
all running as web services
5. Estonia…
• In Estonia, in the late 1990’s they too realized
that identity is the key component
• They realized that a common identity for each
citizen was required
• They also realized that citizen event life
triggers were also important to streamline
government services
• Finally, they too also adopted a SOA web
services architecture
6. Single Citizen Identity
• One identity per citizen
• Any changes to the identity are then shared
with other apps/services consuming them
– One place for a citizen to change things like
addresses and phone numbers
– Citizens don’t have to fill in the same information
over and over in forms for different apps/services
• Same identity used for access management
7. Single
Citizen
Identity
Citizen
Accesses via their phone or the internet
Government Portal
Ministry
Apps/Services
Ministry
Apps/Services
Ministry
Apps/Services
Municipalities
Apps/Services
3rd Party
Apps/Services
Crown Corp.
Apps/Services
Citizen Identity Access Management System
Identity - Foundation of e-Governance
9. Business Processes – Identity Assurance
• Since the citizen’s identity is a key cornerstone of e-government services, then
a high level of identity assurance is required
• When a citizen is born there needs to be:
– One or more biometrics obtained tying the citizen’s digital and physical identities
together
– Parent/guardian relationships in the citizen tombstone identity directory
• Most changes to the identity must be done with use of biometrics and
electronic document verification
– Exceptions to this might include address and telephone number changes
• These identity assurance processes are what is commonly called “identity
proofing”
• Identity assurance is defined in the Evidence of Identity document your
government will produce
– This will be used by Government ministries, crown corporations, municipalities and
third parties to understand what the level of identity assurance is used for identities
they are consuming from the central citizen tombstone identity directory
10. Tools To Manage Citizens’ Identities
• Citizen tombstone identity directory – LDAP
– This is a “point in time” view of the citizen and
shouldn’t be authoritative for citizen identity
attributes
• Provisioning Database
– This records changes made to the LDAP directory from
the authoritative sources
• Connectors/API’s
– Used to connect the authoritative sources with the
provisioning engine which in turn then updates the
LDAP directory
13. OpenIDM Architecture
OSGI
MySQL, MSSQL,
Postgre SQL or
Oracle Databases
ForgeRock UI Framework
ForgeRock REST Router
Business Logic (Javascript, Groovy, Java)
Authentication Filter (JASPI)
Jetty Web Server
ConfigurationManaged Users Sync/Recon
System
(Connectors)
Scheduler WorkflowAudit/Logs
Policy
ExternalResources
Audit
14. Citizen Tombstone Identity Directory
• Uses LDAP (Lightweight Directory Access Protocol)
– Specialized database using hierarchical structure
– Optimized for extremely fast lookups and scalability
– This is required since the LDAP directory is used for
access control, i.e. many concurrent lookups per second
16. ForgeRock Directory– OpenDJ
LDAPv3 REST/JSON
Replication
Access
Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password
Policy
Active
Directory Sync
Reporting
17. OpenDJ Architecture
User Interface
End UserManagement
ForgeRock UI Framework
ForgeRock REST
Core Server
Replication AuditingLDAPV3Caching Monitoring
Password
Policy
Groups
Schema
Management
REST2LDAP Access Control
Backend Services
Persistence Connectors LDIF MemoryChange Log
Java SDK/ LDAPv3
Web Application
REST2LDAP
ForgeRock REST
18. Single
Citizen
Identity
Citizen
Accesses via their phone or the internet
Government Portal
Ministry
Apps/Services
Ministry
Apps/Services
Ministry
Apps/Services
Municipalities
Apps/Services
3rd Party
Apps/Services
Crown Corp.
Apps/Services
Citizen Identity Access Management System
All Apps/Services Leverage the Same
Access Management System
19. Access Management
• Provides the following services:
– Authentication
– Authorization
– Federation
– Web Services Security
– Adaptive Authentication/Strong Authentication
– Entitlements
• Must be highly available and scalable
20. ForgeRock Access Management – OpenAM
Web Services Security Session Management
Authentication Authorization
Federation Entitlements
Adaptive Risk
Single
Sign-on
21. OpenAM Architecture
ForgeRock REST (Commons REST)
Protected Resources
Web
Agents
JavaEE
Agents
Web Services
Agents
User Interface
End UserManagement
ForgeRock UI Framework
Core Services
Authentication Entitlements Session AuditngOAuth
Core Token ServiceOpenID
Connect
Configuration
Policy
User
Management
Secure Token
Service
XACML Federation
SPIs
Authentication
Plugins
Policy
Plugins
User Mgmt
Plugins
Token Service
Plugins
Federation
Plugins
Persistence
(OpenDJ)
Universal
Gateway
24. OpenAM Federation
• All major federation protocols: SAML 1.x, SAML 2.0 (SP, IdP, ECP, and IdP
Proxy), WS-Federation (asserting, relying party)
• Next gen-federation standards for cloud and mobile include full
implementation of OpenID Connect and OAuth 2.0 (consumer, provider,
authorization server).
• All Web Services security standards- Liberty ID-WSF, WS-I Basic Security
Profile, WS-Trust (STS) and WS-Policy.
• FICAM (Federal Identity, Credential, and Access Management) compliant -
initiative defined by the U.S. Federal Government to simplify identity and
access management across government systems.
• OATH and HOTP standards that allow a mobile phone to be used as a
second factor authentication.
• XACML for fine-grained authorization policy definition, import, export.
• Support included for IPv6, Java 6, 7, and 8.
26. Credential Assurance
• Since all government ministries
applications/services, crown corporations,
municipalities and third parties are using the
same citizen access management system, then
they need to know what the credential
authentication standards are
• This is spelled out in the Credential Assurance
document the government will prepare
27. The World of API’s and Internet of Things
• Application Programming Interface (API) has
become a way to rapidly implement SOA
architectures and, in many cases, is replacing
web services
• The use of mobile devices requires API’s
• Now governments are also going to be
managing internet based “things” together
with citizens
28. Mobile Apps
• Built on APIs
• Access from anywhere
• Require strong security
29. ForgeRock API’s – OpenIG
Authentication OpenID Connect
Password Replay OAuth2
Message Transformation SAML2
Throttling Scripting
• A powerful, flexible, lean, identity centric,
reverse proxy, gateway to secure all
accesses to applications and APIs
30.
31. API Economy
API Gateway
e.g. API
Client ResourceAuthN
• Secure services with
standards
• Enable monetization
with auditing and
throttling
• Publish APIs to
developers
• Integrate with any
Identity Provider
32. Internet of Things Scale
Stateless Sessions
ClusterSize
Demand
Internet
Elastic Load Balancer
• Built on new
stateless sessions
• JWT-based sessions
• Per-Realm
configuration
• Enables true elastic
deployment
• Massive horizontal
scalability
33. Privacy & Consent
User Managed Access (UMA)
• Standards based
privacy and consent
• Giving people the
right to control
access to their data
across providers
• Interoperable
OAuth2-based
protocol
• Shipping as an
integrated feature of
OpenAM and OpenIG
34. How UMA
works:
federated
authorization
on top of
OAuth
Loosely coupled to enable
centralized authorization-as-
a-service for any number of
an individual’s resource
servers
A new concept, to enable
party-to-party sharing driven
by policy (or access
approval) rather than
requiring the individual to be
present at access time
Authorization data is added to this token
if trust in the requesting party is
successfully elevated, typically through
authentication and/or claims-gathering
35. The UMA
nitty gritty
Resource
owner
Resource
server
Authorization
server
Client
Authorization
API
UI
UI
UI
Requesting
party
Protection
API
Authorization
client
Protection
client
RS-specific
API
RS-specific
client
2
1
5
RPT
6
7
8
3
4
PAT
11
AAT
PAT
PAT
RPT
chooses resources to
protect – out of band
sets policies –
out of band
AAT
9
10
PAT
RS needs OAuth client credentials at AS to get PAT
C needs OAuth client credentials at AS to get AAT
All protection API calls must carry PAT
All authorization API calls must carry AAT
1. RS registers resource sets and scopes (ongoing
– CRUD API calls)
2. C requests resource (provisioned out of band;
must be unique to RO)
3. RS registers permission (resource set and
scope) for attempted access
4. AS returns permission ticket
5. RS returns error 403 with as_uri and
permission ticket
6. C requests authz data, providing permission
ticket
7. (After claims-gathering flows not shown) AS
gives RPT and authz data
8. C requests resource with RPT
9. RS introspects RPT at AS (default profile)
10. AS returns token status
11. RS returns 20x
36. So Now Let’s Put It Together…
Web Services
Security
Session
Management
Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active
Directory Synch
Reporting
Authentication Authorization Provisioning
Password
Management
Authentication OpenID Connect
Federation Entitlements Workflow Engine Reconciliation Password Replay OAuth2
Adaptive Risk
Single
Sign-on
Registration Role Provisioning
Message
Transformation
SAML2
Throttling Scripting
CommonRESTAPI
CommonUserInterface
Single Integrated, Open Platform
CommonAudit/Logging
CommonScripting
• Using the identity solution open source suite- ForgeRock Platform
37. ForgeRock Commons
Simplify, Standardize App Development
Core Application Services
Common REST (CREST)
Common AuthN Framework
Commons Audit Configuration
Common Scripting
User Interface Mobile Apps
ForgeRock UI Mobile SDK
APIDescriptor
OpenDJ
CommonHTTP
Framework
38. Commons Projects
• ForgeRock REST (CREST)
• HTTP Framework
• REST End-Point Protection (Auth Filters)
• Scripting
• API Descriptor
• Audit
• UI Framework
• Self-Service
Core Application Services
Common REST (CREST)
Common AuthN Framework
Commons Audit Configuration
Common Scripting
User Interface
Mobile SDK
APIDescriptor
OpenDJ
CommonHTTP
Framework
ForgeRock UI
Mobile
Apps
39. Scripting
Key Features
– JavaScript and Groovy
– JSR 223
– Common HTTP Client Binding
– Sandboxing
– Script Registry
– Debugging
Use Cases
– OpenAM Authentication and
Authorization
– OpenIDM Connectors and Business
Logic
– OpenIG Filters and Handlers
40. API Descriptor
Key Features
– Simple way for developers to
consume ForgeRock Common REST
API.
– Descriptor allows dynamic
generation of documentation,
language bindings
– Pre-defined descriptors for common
APIs across product
– Ability to dynamically create user
interface
– Modeling capabilities that test how
API responds to different options
and parameters.
41. Audit Framework
Key Features
– Multiple types of audit events
– Multiple targets (audit consumers),
pluggable
– Correlating events within a
transaction
– Correlating events across products
– Tamper evident
– REST API for read and query
– Client helpers
– Transformation
– Client context and device print
# Transaction ID
Client AuthN
Session
Token
Token Store
# #
# #
# #
#
access.csv activity.csv access.csv
#
43. Let’s Apply This to Your Country…
• First, let’s see how the Authoritative Citizen
Identity Sources can send citizen identity data
via an API service to OpenIG, OpenIDM and
then on to OpenDJ
44.
45. Changes to the Citizen’s Identity
• The value of using this architecture is that all
government ministries, crown corporations,
municipalities and 3rd parties consume the
same identity
• So now let’s see how an identity change then
flows from OpenIDM to these entities…
46.
47. Some Identity Changes May Require
Citizen Consent to Send Them Out…
• In which case the architecture utilizes “User
Managed Access” (UMA) which is built into
both OpenIG and OpenAM
• In one place the citizen can access and
manage all their digital consents for the
government, crown corps, municipalities and
3rd parties
48. Now Let’s Add Citizens Wanting To Make A
Payment to the Government
• The citizen accesses, via their cell phone or via
the internet, the citizen payment portal
• The payment portal then uses a citizen identity
authentication service API to OpenAM to
authenticate the citizen and then…
• Passes the authenticated identity back to the
payment portal which then works with the
various ministry applications on the
government’s network to pay for services, tickets,
taxes, etc., using ewallets, SMS banking, debit
and credit cards
49.
50. e-Health and e-Education
• All government systems will leverage the same
identity and access management system
including e-Health and e-Education
• Let’s see how this would work…
51.
52. Municipalities & Crown Corporations
• They too will leverage the same identity
• Let’s look how this will occur…
53.
54. ESB and BPEL
• The target architecture works with an
Enterprise Service Bus (ESB) and Business
Process Execution Language (BPEL) internally
within your government
• This allows the government to:
– Take the citizen’s identity and then quickly map to
identity apps, services and databases within the
government for things like payment services, etc.
– Not be so reliant upon proprietary vendors where
the code and business processes are not easily
interfaced with
55. How To Securely Pass Identity Information Around
Within Your Ministry and Between Ministries…
National Identity System
Internet via OpenID Connect and Encryption
Home Affairs & Labour Ministry Access Management/API
Ministry/Government Portal
Ministry Apps With Open Source Workflow Software
Government of Botswana Open Source Enterprise Service Bus
Other Ministry Applications/Services
Note: In addition to protocols already mentioned, the Ministry and the Government
should be using protocols like Business Process Modeling Notation (BPMN) and
Business Process Execution Language (BPEL) for Web Services to create workflows
independent of vendors and/or able to integrate with vendors
56. Integrating Commercial Vendors
Within Your Ministry To The Identity System…
National Identity System’s API
Ministry of Labour and Home Affair’s Internal Network
Internet
Home Affairs & Labour Ministry Access Management/API
Ministry/Government Portal maps PAI to the identity
Commercial
app
Open Source
apps
Open Source
apps
BPEL/ESB BPEL/ESB
Identity
Identity Identity
57. Moving Identity Information Around
Within The Government…
National Identity System’s API
Government Internal Network
Internet via OpenID Connect
Ministry Access Management/API
Ministry/Government Portal maps PAI to the identity
Commercial
app
Open Source
apps
Open Source
apps
BPEL/ESB BPEL/ESB
Identity
Identity Identity
58. Protocols Used
• Identity Access Management:
– oAuth2.0
– OpenID Connect
• User Managed Access
– UMA
• JSON
• REST
• HTTPS
• XML
• BPEL
59. Identity Privacy Architecture
• The target architecture uses Persistent Anonymous
Identifiers (PAI) to send identities from the citizen identity
directory to a portal, application or service
– Example: Jane Doe’s PAI to the citizen portal might be ABCDE
and for a crown corporation it might be 123456 and for a
municipality it might be ABCD1234
– This mitigates the risk if Jane’s identity information is obtained
by either a man in the middle attack or, a person on the
application server who gains access
– Jane Doe’s unique identity number stays within the citizen
central directory and never leaves it
– Each PAI is calculated on the fly using an algorithm and is not
stored in the central identity store to again mitigate risk
– Go here to learn about PAI’s-
http://info.idmanagement.gov/2012/10/challenges-in-
operationalizing-privacy.html
60. Identity Privacy Architecture
• All communication between apps/services and
the central identity system is encrypted three
ways:
– HTTPS for the actual transmission
– App/service digitally signs the transmission
– The central identity service also digitally signs the
transmission
• This mitigates risk of man in the middle
attacks
61. Identity Privacy Architecture
• No mother of all identity databases
• The central citizen identity directory only has
tombstone level citizen identity information
• Sensitive information such as tax numbers etc.
is stored in the pertinent ministry application
and database
• This mitigates the risk of attackers wanting to
get at “all the identity information in one
place”
62. In Summary…Single Citizen Identity
• The target architecture leverages a single citizen
identity
• Any changes to the identity can be pushed from
the central identity service to all government
ministry, municipal and crown corporation
services
• Only tombstone level identity information is
stored in the directory
– All other sensitive identity attributes such as tax
numbers, etc. are stored in the appropriate ministry
application and database
63. In Summary… SOA
• Different government ministry, municipal,
crown corporation or 3rd party services can
use an identity authentication API to call upon
the citizen identity authentication service
• API’s can be easily registered and standardized
by the ForgeRock architecture
• The architecture allows for secure, rapid
implementation of a SOA architecture using
API services
64. In Summary…Availability & Scalability
• The architecture is robust
• It is highly available within each date centre
and between each data centre
• The architecture can easily scale with
increased load
• The architecture delivers high performance all
the time
65. In Summary…Privacy
• The architecture protects citizen privacy
• No mother of all citizen databases is created
• Only tombstone level citizen identity
information is stored
• The citizens unique identity number never
leaves the central citizen identity directory
• Persistent Anonymous Identifiers (PAI’s) are
used and are also not stored in the central
citizen identity directory
• Three different encryptions used
66. In Summary…The Future
• The same architecture can be used in the
future for additional identities:
– As the internet of things develop in your country,
the architecture will easily handle increased load
– Private enterprises incorporating with the
government can leverage the same infrastructure
• Using the OpenIDM workflows, timelines for
incorporating a business can be significantly reduced as
can renewals of business licenses, etc.
67. In Summary…Internet Time
• The target architecture presented is built upon
the concept of internet time
• Rapid implementation of a SOA architecture is
possible due to the unified ForgeRock Commons
• Developers will be given identity and API
standards and can quickly implement within their
applications regardless of if they are within the
government, crown corporations, municipalities
or 3rd parties
68. So Who’s Using This Today?
• Large companies like Toyota
• Governments including Norway, Canada, New
Zealand and Alberta
• https://www.forgerock.com/our-customers/
69. Suggested Tactical SOA Plan…
• Like the many Fortune 500 and countries that have already long
gone down the same road that your country is likely doing
regarding SOA, it makes sense to quickly get the identity
architecture and infrastructure in place
• Without having single citizen identity and unified access
management, the government will not be able to obtain the
benefits of any citizen facing SOA architecture
• I have presented a target citizen identity architecture that is state of
the art and can be quickly implemented across ministries, crown
corporations, municipalities and 3rd parties by using API services
• The SOA citizen identity architecture can then be leveraged by the
overall government SOA architecture, as many enterprises around
the world have already done
• Significant benefits can be seen by local citizens who have only cell
phones as well as those who have smartphones and internet access
Editor's Notes
Billions of apps downloaded
OpenIG is a Java-based reverse proxy which runs as a web application in a web container like Tomcat.
HTTP traffic is routed through OpenIG, enabling close inspection, transformation and filtering of each request.
By inspecting the traffic, OpenIG is able to intercept requests, capture the user's login credentials, and send the necessary HTTP request to the target application, thereby logging in the user without modifying or installing anything on the application.
x:26 MW/EM What did we just see? Can you just go through how UMA works a little more slowly? (10min)
[Don’t use slide if we don’t show the live demo; revise callouts if we show a different demo]