With the uptake of eGovernment services, applications and information have become highly accessible and available. However, not all information should be freely accessible, and proper access control should be put in place especially when it concerns highly confidential information managed by the government. This can be achieved by managing access and this preferably without compromising the efficiency of access receiving for legitimate requests.
The solution of the Flemish government offers safety and efficiency for identity and access management. The mission of the identity- and access management solution is to:
- Offer a central solution for identity- and access management
- Be reliable in every sense: availability, security, accuracy and quality
- Have a low-threshold for end users by being user friendly, client oriented and transparent.
- Be efficient: enable a quick, smooth and inexpensive integration and offer central management for exploitation
- Be current: continuously evolving and following market developments
- Offer support for integration, transition, exploitation, mature product development, product organization, etc.
The vision of the identity- and access management solution:
- 1 solution to manage identities and access
- Intended for every application in Flanders (local and regional) for the support of services of general interest in a G2C, G2G and G2B context
- Active partnership (within Flanders, Belgium and Europe)
- Take on a leading role for the customers
The solution addresses two aspects:
- It offers a single portal for granting access to users (identity management or IDM) and
- offers a single portal for users to get access (access control management or ACM) to online (Flemish) government applications. All this is done in cooperation with other federal government entities in order to reuse existing platforms (e.g. Federal Authentication Service), information and authentic sources. Every entity of the Flemish government, local authorities and provincial authorities can use this solution.
Features
As mentioned, the solution focuses on 2 aspects:
1. Identity management (IDM):
The central system of the Flemish government that is used to grant access to target applications by allocating user rights.
Functions of identity management:
- Requesting access (done by users)
- Approving access requests (done by admins)
- Managing organisations, identities, work relations and user rights for users of target applications
- Delegated management as a basic principle: identities are managed by the client organization itself, using their own processes.
- Retrieving information of users from different sources
- Provisioning information of users to different target systems
- Configuration of user rights and work streams
2. Access management (ACM)
The central system of the Flemish government that is used to obtain access to target applications. ACM will guard the access to a target application and functions as a front door when users want to access applications.
Functions of access management:
- Identification and authentication of users
- Oblige users to choose a digital identity
- Coarse grained access to target application
- Deliver attributes of digital identities to target applications
- Supports several user target groups context based authentication
- Provides Single Sign on, even with Federal Government applications
- Federated identity provider"
Technology
WebIDM: is a custom component, used by Local Admins to assign user rights of an application to users. WebIDM provisions user rights of users of accessible target groups to multiple user repositories. More specific, WebIDM encompasses following functionalities:
- Registration and management of identities
- Management of work relations
- Management of user rights
- IDM delegation
ForgeRock OpenIDM: the open source OpenIDM component retrieves information of WebIDM and passes this on via specific connectors to relevant user repositories, e.g. a central Identity Database (IDD) or databases of clients that require certain information to be stored locally.
ForgeRock OpenDJ: This open source component is the main target user repository for IDM and is used by ACM to find out if a user has a role assigned that grants him/her access to a certain application. It is the link between user management and access management.
Activiti: This open source component delivers workflow services to the IDM solution.
Identity Database (IDD): The identity database is an OpenDJ LDAP database from which ACM extracts information about the user.
ACM 3+: The ACM platform authenticates the users and takes authorization decisions to decide whether or not a user can use the application. This happens either via the SAML 2.0 federation protocol via a redirect from the application to the latest version of access management or by securing the web application with an ACM reverse proxy.
For access management there is a focus on future-oriented support for authentication (federation) and new technological evolutions such as mobile authentication.
For identity management, the custom components are built as generically as possible, which means alternative, newer and better technologies can easily be put in place when necessary.
Interfaces between the IDM components were specifically designed to facilitate operational support and root cause analysis in case of incidents or events.
Cooperation
The solution is built in cooperation with external subject matter and product experts. External expertise helps the Flemish Government to stay up to date with the latest trends and evolutions in the market, drives a future oriented approach and helps establish roadmaps that tackle the gap between current and target state.
The solution provides standard onboarding capabilities & processes for application integration, but aims to provide an answer to all client specific requirements in function of the budget the client can allocate to accommodate the change. New functionalities might be developed in a co-finance setup. While doing this, the importance of identity management being of service to users and other clients is taken into account. The Flemish government continuously aims for user-friendliness and uniformity.
The solution reuses the following existing standards:
- SAML 2.0 federation standard
- NIST standards and eIDAS criteria for trust evaluation
- OpenID Connect (in development)
The solution reuses the following authentic sources:
- For the Flemish government: Vlimpers (HR) , Wegwijs
- For legal persons not from the Flemish government: VKBO, VKBP
The benefits of the solution also support the view of ‘Vlaanderen Radicaal Digitaal’. This project, initiated by the Flemish government, aims to make the digital communication between citizens/enterprises and government easier and more understandable. Several principles are defined to achieve this goal and the solution of the Flemish supports these principles.