My earlier blog post on proxy/broker/hub/exchange architecture introduced two deployment patterns which I called unified proxy and split proxy. This blog post explores the capabilities that could be implemented by the attribute validation component of a split proxy architecture.
I am becoming more and more convinced that a unified proxy implementation that combines both authentication and attribute validation into a single physical instance limits architectural flexibility and increases privacy and operational burdens.
I won't focus here on the authentication proxy component, but will simply point you to the Government of Canada's SecureKey Concierge Credential Broker Service as an example of a successful, large scale, public sector implementation of a pure authentication proxy. Mike Waddingham has a screen-by-screen walk-through of how it works for our northern neighbors.
At its core, the attribute validation proxy is all about the specialized brokering of attributes from sources that are external AND internal to the RP's trust domain. It must also be interoperable with other attribute brokers (e.g. ID DataWeb Attribute Exchange Network) that exist.
The following are some of the "questions" that I would expect a public sector attribute validation proxy to be able to answer:
- Here is an identifier; send the previously agreed upon verified attribute bundle that enables identity resolution for the individual associated with that identifier
- Here is a self-asserted attribute bundle; verify and validate it
- Here is a self-asserted attribute bundle; return a MATCH/NO-MATCH on a per attribute basis
- Here is an identifier and a policy URI; Use the policy URI to look up previously agreed upon actions that need to performed (e.g. retrieve verified attributes 1,2,3, do policy evaluation X, use answer format Y) and provide the answer such that it does not reveal anything sensitive about the individual associated with the identifier
What other questions would you want an attribute validation proxy to answer?
- Proxy Architecture
- SecureKey Concierge – Credential Broker Service
- Mike Waddingham: Service Canada and SecureKey Concierge screen-by-screen walk-through
- Identity Establishment, Verification and Validation
- ID DataWeb Attribute Exchange Network (AXN)
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.