BCNET IDM Workshop – BC Provincial IDM Project

by | May 3, 2010

Peter Watkins

User Centric Claims-Based IDM is the direction the BC Provincial Government IDM strategy and architecture

  • leverages SAML, WS-Federation 1.1 and a relying party service
  • the relying party does not get your userid and password, instead it expects a security token to prove that you are who you say you are
  • – the test relying party for BC provincial (currently BC Gov’t, Vancouver Coastal Health, Provincial Health Services Authority, Yukon, Nova Scotia, City of Naniamo, City of Windsor)
  • security token – is an XML document signed by the government security certificate server
  • look at for standard XML and then had to create BC specific tags
  • leverage InfoCard technology to only show the list of organizations that the user is part of to help eliminate the organization logo sprawl
  • there is a trust and assurance model created by BC Government Office of CIO
  • look at Office of the CIO, BC Gov’t – Identity Management page – look at Education module
  • BCNet IDM Working group will coordinate a request to Peter W for getting to be a member and to test

So what?

  • scalable
  • open, standards based
  • supports trust

Concept for Government Services Cards

  • cardholder may have several cards
  • used for multiple programs and services
  • used for “in person” services
  • used as an authn credentials for access to online services and information

Drivers for change: Citizens

  • this is driven by citizens and the gov’t is accountable to deliver better, more seamless services
  • making mistakes about identifying a person is a big deal and a problem that there is no recovery from
  • privacy is not something to be traded away for access by citizens to services and information
  • Peter used a prop – tin foil on his head “Tin Foil Hat Brigade” 🙂


  • Section 1 – Issuance of Gov’t Service Cards
    • use case : typical program enrolment and issuance of service card
    • need a heavy weight (in person) registration process to get citizen identity info
    • problem : how do we add other programs with the same card? Impractical to issue a card for each and every program
    • a national identity card and national id number is not a good way to go – that id gets embedded in every database you get services from
    • BC Gov’t will not create a universal id instead they are doing the opposite.  Each system will keep their own id numbers (program specific identifiers)
    • the intersection point is the identity card – contains info for more than one program – the card has an IC Chip with an antenna
    • combine a smart card with a authentication credential service – for every program generate a unique card number so that you can not use one card id number to link across programs (e.g. can’t link education services to health services) = contactless smart card (e.g. credit cards with chip and pin technology)
    • leverage hashing to ensure, no reverse engineering of a card id to find out which card it came from
    • there is still an issue with linking cards to program identifiers – need to introduce a third party that will hide the identity of the government program from the Authentication Credential Service = Anonymizing Authentication Service (use an encryption service to anonymize the service identifier)
    • analogy is the person using an agent at an auction (communication via the phone)
  • Section 2 – Use at Points of Service
    • point of service identity and status verification with proof of presence – need a card reader at the counter to get a security token from the card the person presents
    • authn and authz of service providers to systems – need an authority for registration administrators identity provider
  • Section 3 – Multi-program use
    • without exchanging information between programs
    • leveraging for additional programs/services
  • Section 4 – how to use this online
    • allows for a start with userid and password and then migrate to biometrics or contactless smartcard
    • can use an assurance model with levels of assurance – level 1 – no id, level 2 – userid/password, level 3 – security token

The end result of this approach is to silo services and information to ensure complete protection of privacy – card and cardholder needed for any cross-connect .

Why is this an issue?

  • enhancing privacy = no universal identifier
  • no universal id = no or uncertain, cross program identification
  • cross program identification is required when authorized
  • What do we do if the citizen shows up but does not have their card????  Services still need to be delivered
  • use an anonymizer that holds ids from multiple systems
  • now need to introduce a session identifier id – like a one time only use id – still not great in that the dbs between the systems can be attacked and data stitched together
  • so combine session one time id and encryption and security tokens for the government worker asking to get info from another system – allows a photo lookup to help verify identity of person showing up with no card (*me: I sure hope that photo database is highly secured!)

The approach is to scrub information out as you traverse systems and services and only show/provide the information that is required to access the service/information

Look at and – allows for long-lived security tokens which further eliminates the ability to gather server logs and stitch together your behaviour by your interaction with services

What is the future?  Having an open dialogue and discussion is essential – BCNet IDM Working Group will coordinate an approach for higher education in BC.

2 thoughts on “BCNET IDM Workshop – BC Provincial IDM Project

  1. Pingback: Tweets that mention BCNET IDM Workshop – BC Provincial IDM Project: Peter Watkins User Centric Claims-Based IDM is the direction the B... --

  2. Todd

    With your requirements have you considered a STS inside of an XML Service Gateway? Intel has a security solution that handles complext STS transformations…see -specifically their data sheet


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.