Identity Management and Provisioning

Introduction

For end-users, Buypass offers two main classes of eIDs:

  1. Open/general Security Domains (like https://buypassdev.atlassian.net/wiki/spaces/DEVSPACE/pages/672628737)

  2. Closed/enterprise Security Domains (eIDs schemes owned and controlled by an en enterprise)

The open/general class of eIDs are owned and managed by Buypass. The IDs are typically regulated and general in that any service provider may trust these IDs to identify and authenticate users towards their service. But, the service provider may not add any custom data, delete the account or or do any other form of identity management. Hence, the same eID may be used across several independent service providers.

The closed/enterprise class of eIDs are owned typically by some organisation or enterprise. This means that the policies defining the encompassing Security Domain is defined by the enterprise. For this class of eIDs, Buypass provides the service of implementing these policies. Note that these eIDs may still be required to be in accordance with regulations, and hence be certified to meet the specification of ex. eIDAS High or Substantial. The enterprise is free to define internal eIDs to be on a regulated level, even if the eID is not used outside of the organisation. However, a requirement to have an internal eID on a regulated level, will have consequences for the policies of the Security Domain and the processes around issuance, management and authentication related to these eIDs.

As the open/general class of eIDs are manage by Buypass, only the closed/enterprise class eIDs are relevant for management and provisioning from customers/third parties. In fact, for the closed/enterprise eIDs it is required that the enterprise control what end-users that should be included in the eID-scheme. This control is referred to as Cross-domain Identity Management.

Cross-domain Identity Management

Cross-domain Identity Management is done by doing “Provisioning actions” on users (and potentially related group information). The provisioning actions are described using the database operation acronym "CRUD": Create, Read, Update, and Delete. The four CRUD operations are the building blocks that combine to solve your end-to-end use cases.

Note that all operations are always done in context of one and only one closed/enterprise Security Domain and eID scheme.

Create

This operation creates new users (and or groups) in the particular eID scheme user directory (implemented by Buypass). The creation should based on the enterprise/organisation own internal domain (user directory). The creation of the a user enters the user in the eID scheme. Depending on the Security Domain and policies Buypass will initiate/allow id-proofing processes and authenticator issuance making the user ready for https://buypassdev.atlassian.net/wiki/spaces/DEVSPACE/pages/672825345.

Read

Information about the end-user (and potentially group) resources can be queried from enterprise/organisation IAM systems or applications to match against existing resources, or to import them if the resources don't already exist. The operation may also be used to monitor dynamic attributes set by Buypass services on the end-user objects (ex. last login).

This operation will also return end-user data enriched by Buypass services (ex. data from the National Population Register) if such services are in enabled.

Update

This operation will enable the enterprise/organisation IAM systems or applications to change or update user (and group) attributes relevant in the eID scheme user directory (implemented by Buypass).

Delete

This operation is basically a “deprovision”, that is total removal of the user in the eID scheme user directory (implemented by Buypass).

Attributes and data

As a principle, Buypass aim to store a minimum of data associated to a user. Hence the provision service (and associated OIDC https://buypassdev.atlassian.net/wiki/spaces/DEVSPACE/pages/672399455 services) will only accept, store and return data identified to be necessary in the current eID scheme. Unapproved data sent in “Create” or “Update” operations will be ignored.

API protocol and data model

For identity management and Provisioning, Buypass offer the SCIM 2.0 protocol for integration. SCIM, or the System for Cross-domain Identity Management specification, is an open standard designed to manage user identity information. SCIM provides a defined schema for representing users and groups, and a RESTful API to run CRUD operations on those user and group resources.

The SCIM 2.0 specification defines the technical implementation of the CRUD provisioning operations described above, as-well as a basic general core json-based data model (schema). In addition the protocol describe how to do extensions to the protocol. These properties creates a good foundation for cross domain system integration (enabling use of both custom and 3rd party of-the-shelf systems, and at the same time enabling support for custom data attributes). See for documentation on the extensions used by Buypass.

SCIM vs OpenID Connect

As the figure below shows, SCIM attributes and OpenID Connect claims are very much compatible. In Addition both protocols are based on the same philosophy of simple REST-based APIs. In addition, the authentication scheme of SCIM is fully compatible with both OpenID Connect and OAuth2 (see).

 

SCIM client

A SCIM client can can be implemented in many different form, context and systems. From standardised enterprise IAM/IDM-systems, responsible for cross domain identity management, to custom simple self-service or user management applications.

This also means that SCIM clients can act on behalf of themselves, an administrator or even an end-user.

In any case Buypass as SCIM service provider will map the authenticated client to an access control policy for the Security Domain in order to determine the client's authorization to retrieve and update SCIM resources.

There are a number of open source libraries to jump start development and testing frameworks to ensure that implementations are SCIM compliant.

Contents