The Pensions Dashboard project is an important and exciting initiative for the UK consumer with an immense social purpose. It has the potential to significantly improve retirement planning, financial inclusion and consumer engagement with the pensions industry. Origo is working with ForgeRock and the wider industry to bring an enabling infrastructure to market. The solution will securely identify the consumer before orchestrating a search of pensions across the industry. Today we will provide a tour of the project to date. We’ll cover the architecture for identity, attribute exchange and resource sharing; bringing this to life with a demonstration.
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Identity Live London 2017 | Kenneth May
1. {{{
*Data Classification: Public – The information contained
in this document is intended for public use.
What have I got and where is it?
Identity, Attributes and UMA for a Pensions Dashboard
Kenneth May, Lead Architect, Origo
October 2017
2. Data Classification: Public*
2
Why the Pensions Dashboard?
• 11 pension pots during an average career (DWP)
• Auto-enrolment: millions of new pension savers
• Very time-consuming to obtain pensions overview
• Lost pots, unclaimed pensions savings, dormant assets
• Complex landscape
• Freedom and choice: consumer expectation of control
• Consumer expectations rising given on-line experiences elsewhere
• Increasing longevity but decline of DB pensions in private sector makes better awareness of
retirement preparation key
4. Data Classification: Public*
4
About Origo
• Origo is a not-for-profit FinTech company dedicated to the Financial Services
industry
• Since 1989, Origo has been bringing the industry together to solve common
operational problems that cannot be addressed in isolation
• We provide operating efficiencies, lowering costs for market participants and
improving outcomes for consumers
• Collaboration is at the core of what we do
• We're owned by UK financial services groups and provide the essential services
that the industry needs
5. Data Classification: Public*
5
R&D
Pension Register
Service
OIX Pension
Finder Alpha
Creating a
Pensions
Dashboard
HMT/ABI Pensions
Dashboard
Prototype Project
OIX Project
Digital ID for
Pension
Dashboards
Origo PFS Phase 2
Project Background
• Origo has contributed significant knowledge and
resource to all Dashboard related collaborative
projects
6. Data Classification: Public*
6
HMT/ABI Pensions
Dashboard
Prototype Project
OIX Project
Digital ID for
Pension
Dashboards
Origo PFS Phase 2
Project Background
Origo and ForgeRock
7. {{{
*Data Classification: Public – The information contained
in this document is intended for public use.
HMT/ABI Pensions Dashboard
7
Prototype Project
8. Data Classification: Public*
8
HMT/ABI Prototype
Components
Consumer
Smart phone
Dashboard
Native App
Browser
Dashboard site
Pension Finder Service
Integration Service
Provider ..n
Pension Provider 1 Pension Provider 2 Pension Provider 3 Pension Provider 4 Pension Provider 5 Pension Provider n……..
Integration Service
Provider 1
Digital Identity
Provider(s)
9. Data Classification: Public*
9
HMT/ABI Prototype
Integrations
Identity
Hub
Identity
Provider
Providers
Operated by IDEMIA
(Safran / OT-Morpho)
Access ManagementGateway
Business Layer / API Led Connectivity
Pension Finder Service
ISPs
11. {{{
*Data Classification: Public – The information contained
in this document is intended for public use.
OIX Project & White Paper
11
Digital ID for Pensions Dashboards
12. Data Classification: Public*
12
OIX: Digital ID for Pensions Dashboards
Hypothesis
“To test how digital identities, which have
been certified against Government
standards, can be used to release attributes
from public and private sector sources. For
this project we will be using pensions data
where the user and their consent is at the
heart of the process”
http://oixuk.org/blog/2017/06/25/digital-id-for-pensions-dashboard/
13. Data Classification: Public*
13
• To access state pension, must be authenticated to LOA2 (as defined by UK Government)
• This implies GOV.UK Verify (or private sector equivalent)
• Granular, revocable, time-bound consent driven access to state pension data
• This aligns well with UMA
• Simple approach to finding private pension data
• Consistent approach to providing access to state and private pension data
• This implies same UMA approach for private pensions
OIX: Digital ID for Pensions Dashboards
Drivers
14. Data Classification: Public*
14
• UMA is a protocol based on OAuth2 open standards for consumer authorisation
• UMA 1.0 approved in 2015 - implementations are emerging
• Origo’s Pension Finder Service (PFS) is a good reference implementation using ForgeRock technology
• The standards fit well with EU General Data Protection Reforms, in particular the new
“Transparency and Consent” requirements
• Consumers will be able to see information on where their data is being shared and control the
consent processes
OIX: Digital ID for Pensions Dashboards
Positioning User Managed Access (UMA)
15. Data Classification: Public*
15
OIX: Digital ID for Pensions Dashboards
Introducing ‘Alice’
PFS
Provider/ISP Gateway
Pension Finder Service
small alice @ Provider:
existing customer portal login
(<LOA2)
Authorisation
Server
Resource
Server
State Pension API
Gateway
BIG ALICE @ Verify:
(LOA2)
CHECK YOUR STATE PENSION API
(via a DWP or HMRC API Gateway )
Resource
Server
16. Data Classification: Public*
OIX: Digital ID for Pensions Dashboards
UMA Scenario for PFS
3. Consumer pensions dashboard,
adviser client management
system (or any approved FinTech
software)
1. For a consumer pensions
dashboard (client), alice is
requesting party and Alice* is
resource owner
*Alice@LOA2
16
2. For an adviser client
management system, an IFA
Bob is requesting party
5. ISP or Pension Provider
registers resources for
protection at the
authorisation server.
Unique ID used for accessing
resource. Resource (data) is
always held at the resource
server (data controller).
4. Within an Attribute Exchange Hub
(Pension Finder Service) – controls
access to resources and federated
authorisation for resource servers
Can I allow this requesting party at
this client access to this resource?
PFS/AXH
17. Data Classification: Public*
17
• It is technically feasible to implement a private sector Verify Identity Hub that integrates with
existing GOV.UK Verify Identity Providers
• A target architecture has been defined with three key parts
• A draft profile for an open standard based on UMA has been developed that meets the DWP
indicative requirements for the release of State Pension data attributes
OIX: Digital ID for Pensions Dashboards
Outcomes
18. Data Classification: Public*
18
OIX: Digital ID for Pensions Dashboards
Benefits for launch
• A DWP and GDS approved design for secure access to State Pension data
• Encourages adoption of private sector Verify at LOA2
• LOA2 is stronger than most identities in private sector IT environments
• Potential for Providers to retain existing ID&V investment and optimise user experience for security
interactions with private sector Verify
• Potential for simplified legal and regulatory framework
• Aligns well with the new EU General Data Protection Regulation (GDPR)
• Consumer can control and monitor who sees their data from a central console
• Uses open standards (UMA is based on OAuth2)
• No technical barriers, other than development effort, to FinTech sector adoption
20. Data Classification: Public*
20
Demonstration
Origo PFS Phase 2
• HMT/ABI project has proven the basic architectural integration points
• The OIX Project set the direction for target state architecture
• Origo has worked on key topics and design principles for a target architecture that we believe will be
crucial to 2019 success
• Overall security architecture (aligning with OIX project outputs)
• Governance features of the PFS
• Performance design taking into account Privacy By Design
• Consent processes
• Systems Management APIs e.g. logging features
• Design optimisation for scalability at PFS, Dashboards, ISPs and PPs
21. Data Classification: Public*
21
• Enhancing the Pension Finder Service to
support Delegated Authority, an Attribute
Exchange Hub (AXH) and further advanced
features
Demonstration
Origo PFS Phase 2 Consumer
(resource owner Alice)
Browser Dashboard Client:
alice as requesting party Digital Identity
Providers via private
sector Identity Hub
Origo AXH (incl PFS)
Origo ISP
resource server
RS-ISP1
Authorisation
Server
(AS-PFS)
Origo
Data Aggregation for
Pension Providers OR
real-time integration
Alice@LoA2
PFS
Profiles
Find API
A. First time
search or refresh
B.
Subsequent
direct
request to
resource
22. Data Classification: Public*
Consumer
uses
Pensions
Dashboard
Dashboard
invokes Find
at PFS
PFS requires
identity
assertion at
LoA2
PFS
Orchestrates
Finds across
ISPs/PPs
Register
resources at
Authorisation
Server
Return
resource
locations to
Dashboard
Dashboard
requests
access to
resources
Resources
(pensions)
returned to
dashboard
Consumer
controls
access to
resources for
3rd parties
Demonstration
UMA Demonstration Scenario 1 – Consumer dashboard
22
23. Data Classification: Public*
Demonstration
UMA Demonstration Scenario 2 – Consumer shares access
Consumer
decides to
delegate
access
Consumer
selects
Adviser
Consent
stored at
Authorisation
Server
Consent
policy
sets
access rights
Adviser
receives
notification
of pension
shared (URI)
Adviser
Software stores
the URI
Adviser can
access
pension
23
24. Data Classification: Public*
Demonstration
UMA Demonstration Scenario 3 – Access by Adviser
Adviser
Software
tries to
access
pension
The PFS
requires
Adviser is
authenticated
at Unipass
PFS seeks
identity
assertion from
Unipass
Unipass
assertion
with Adviser
attributes
Attributes &
consent policy
checked
Adviser
Software is
given token
Adviser
Software
uses token
to access
resource
Resource
server
checks token
is valid with
the PFS-AS
Resource
(pension) is
supplied to
the Adviser
Software
24
25. {{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Summary / Next steps
25
26. Data Classification: Public*
26
Summary
Pensions Dashboard – we’re ready for a 2019 launch…
• The prototype was successfully delivered in March. Origo’s Phase 2 completed in
October.
• UMA Profile developed by DWP and refined via OIX workshops. Now implemented
• ABI managed Project Group has set out its recommendations
• Origo stands ready to deliver for a full launch and has worked with ForgeRock and
other partners to show that:
• The technology is no barrier!
• The Conceptual Architecture is feasible – Origo’s PFS is already integrated with multiple Dashboards,
Adviser Software Systems, Integration Services Providers and Pensions Providers
27. Data Classification: Public*
27
Summary
Working with ForgeRock and UMA
• Pensions Dashboard is a valuable case study. As a relatively early adopter…
• Excellent support from ForgeRock
• UMA hard to grasp initially but becomes easier
• Hard to demonstrate technical aspects to a business audience
• building a clear case for investment takes care and time
• OOTB Authorisation Server UI requires customisation for real-world use cases
• ForgeRock Access Management has been great for supporting SSO federation
• Product suggestions
• Consider 2 versions of OOTB Authorisation Server UI:
• A ‘lite’ version that focuses only on sharing process would align better with POCs
• The full version is for admins and of limited use to non-expert consumers
• Comprehensive tooling to support development life cycle (e.g. purge of registered resources)
• Customisations (e.g. end points for Identity Gateway as resource server) should be
productionised
28. {{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Thank you
For more information…
Kenneth May – Kenneth.May@origo.com
28
0131 451 5181
www.origo.com
29. {{{
*Data Classification: Public – The information contained
in this document is intended for public use.
Thank you
For more information…
Kenneth May – Kenneth.May@origo.com
29
0131 451 5181
www.origo.com