Ian Bailey Director Application Architecture

1
A User Centric and Claims Based Architecture for
British Columbia

• Ian BaileyDirector Application Architecture
• Office of CIO, Province of BC

2
Agenda

• Background on BC Use Cases
• Connected Workforce
• Citizen Centred Service
• Authoritative Parties Claims
• IDM Architecture Project
• IDM Pilots
• Claims and Standards
• Questions

3
Province of British Columbia
Here
4
Province of British Columbia

• Western most province in Canada
• 4.4 Million Citizens
• 400,000 Businesses
• 2 Million workers
• 400,000 people participate in the delivery of
  public services

5
Two general use cases

• Connected Workforce
• Many public and private sector organizations
• Using different vendor products
• Sharing information for better outcomes
• Citizen Centred Service
• Providing electronic services to citizens
• Privacy, safety and ease of use

6
Connected Workforce400,000 member workforce

• Approximately 500 public sector organizations
• Government ministries, agencies boards
• Health authorities and hospitals
• School districts, universities, colleges
• Municipalities, regional districts
• Crown Corporations
• 1000s Licensed professionals
• 10,000s of contracted service providers

7
Connected WorkforceInformation Sharing for
better outcomes

• Workforce should be able to get access to the
  information they need to do their job.
• An identity management eco-system is key to
  ensuring the right person has access to the right
  information, at the right time, and for the right
  purpose.

8
Connected Workforce 400,000 Businesses

• They may have their own sophisticated IT
  infrastructures and have a username password or
  smart card at their workplace
• Or they may need a common Identity provider
  service
• BCeID is our identity service

9
Federated Businesses
Size of Business
Common Identity Provider BCeID for small
businesses
Number of Businesses
10
Citizen Centred Service4 Million citizens

• A common Identity provider service for public
  services in any sector
• BCeID is our service
• Desire for additional features
• Privacy protection and Minimal Disclosure
• Internet Safety

11
Authoritative Parties and Claims

• Government is an authority for personal
  identification claims
• Government is an authority for business identity
  claims
• Organizations are an authority for claims about
  their employees
• Professional bodies are an authority for claims
  about their members
• Individuals are the authority for some claims
  about themselves

12
BC Identity Management ForumSpring 2006

• April 2006 we brought together the largest BC
  public sector organizations and our major IT
  suppliers
• Invited them to work towards a solution that
• Protects privacy security
• Leverages authoritative sources for identity
  information (claims)
• Scales to connect our workforce and the public

13
BC Identity Management ForumFall 2006

• Engaged public sector CIOs and architects
• Contracted with Bell, CA, Deloitte, IBM,
  Microsoft, Nortel, Novell, Oracle, Siemens, Sun
  Microsystems, Sxip, and Telus
• Sxip Identity to coordinate and manage forum
• Develop an architecture for the two use cases

14
BC Identity Management ForumRequirements Document

• Contents
• An agreed lexicon of terms
• 34 general requirements
• Privacy best practices
• Security gradient
• Authoritative sources of identity claims
• Loose coupling for scaling
• http//www.cio.gov.bc.ca/idm/idm_forum/

15
BC Identity Management ForumArchitecture
Document July 2007

• Contents
• Background/methodology/principles
• Core architecture interactions
• Additional use case interactions
• Standards and architecture recommendations
• http//www.cio.gov.bc.ca/idm/idm_forum/

16
Core Architecture
Root Authorities/Trust Model
Request and accept claims to satisfy local policy.
Authorities recognized to make claims
Authoritative Party (AP)
Relying Party (RP)
Identity Agent (IA)
Facilitates and controls the distribution of
claims for a principal.
17
BC Identity Management Forum

• Test/Pilot the two main use cases
• Connected workforce
• Citizen centred service
• Using Information Cards

18
BC Identity Management ForumPilot 1 Connected
Workforce

• Access to each others wireless LANs using a
  Managed Information Card
• Microsoft is providing software so that we can
  issue Managed Information Cards from 5
  organizations
• Ping Identity is providing software for
  authenticating users with Managed Information
  Cards for WiFi access
• Telus is hosting wireless authenticator

19
Visiting user selects Corporate Managed
Information Card
Wireless LAN configured to use Authenticating
Web Server and APs
Shared Authenticating Web Server (RP)
Corporate AD Authoritative Party(AP)
Internet
20
BC Identity Management ForumPilot 2 Connected
Workforce

• Access to a shared collaboration site using
  Managed Information Cards
• Microsoft is providing software so that pilot
  users from 5 orgs can access a Sharepoint 2007
  collaboration site with Managed Information Cards
• Telus is hosting the Sharepoint Site at their
  Calgary data centre.

21
User selects Corporate Managed Information Card
Internet
Collaboration Site Sharepoint Web Server (RP)
Corporate AD Authoritative Party(AP)
22
BC Identity Management ForumPilot 3 BCeID
Business users

• Issue Managed Information Cards to select
  business users.
• CA is providing software to authenticate and
  authorize users based on claims in Managed
  Information Cards.
• Microsoft software for Managed Information Cards
  for our business identity service www.bceid.ca
• Access to Sharepoint, Wireless, and a test web
  application.

23
https//www.bceid.ca Authoritative Party(AP)
Relying Party (RP)
Accepts managed cards
Issues managed cards
Verifies claims
Internet
sends managed card
BCeID Point of Service
Visits BCeID service counter
24
Claims a need for information standards

• personal identification claims
• minimal disclosure claims
• assurance level claims
• business identity claims
• claims about employees
• claims about professionals
• Individuals are the authority for some claims
  about themselves

25
Questions?