The demise of the Id Card Project in 2010 has not removed the growing need for trusted e-Identities (e-Ids) to give access to public sector services. The State benefits from lower administration costs and reduced fraud; Citizens benefit from much simpler and faster application for services. Far fewer errors will be propagated. The Cabinet Office solution is to encourage a market for Identity Provider (IdP) services from any number of accredited suppliers, many of whom should be from the private sector. Public Service Providers (PSPs) will trust the e-Ids from any such IdP. Their architecture diagram below has been largely unchanged for more than a year.
Between the IdP and the PSP is the managed “Hub”. This posting raises a fundamental question about why it is necessary. There are already well established standards that control the governance requirements for federations of IdPs and PSPs. One is the OIX model.
This standard does not have a central hub. It has rules for level of assurance and protection. It is supported by many international IdPs such as Google, Facebook and Microsoft. Public service organisations could act as both IdPs and relying parties.
The UK education sector uses a similar model for simplified sign on to multiple services. Commonly known as Shibboleth, it is governed by the rules of the UK Federation. It has an architecture that is scalable to millions of users without the need for a hub, see
. It is a governance issue, you either trust other members of a Federation, or you don’t. What are the problems of using such a federation architecture?