All-In-One for strong electronic identification in eServices
IDMIG is software to be installed at the eService provider system. It takes responsibility of all technical interface details, protocols and identification service or broker agreement account and key management. The application producing the service for the end user no longer needs to take care of which identification methods are available and which interface protocols should be used.
What does it mean?
- IDMIG can be set up to work with any (or several) service provider offering identification brokerage or direct identification.
- Identification transactions can be routed transparently, allowing the broker service or direct per-bank connections to be switched quickly by configuration changes only. This approach allows full idenpendence and flexibility in the selection of service provider.
- New applications no longer require implementation of identification transactions based on identification protocols and associated programming language libraries. Identification data of the end user is received directly as call parameters to the application.
- All the settings related to the identification service broker agreements are centralized in one point and multiple service applications can take advantage of the same IDMIG instance. The applications do not need to be aware of the agreement accounts and keys at all.
- Should the interface protocols used in the Trust Network change in the future, based on tightened security requirements or even a vulnerability to be found in current mechanisms, the change requires an update of the IDMIG software version only. The service application can continue without any changes.
TUPAS transition very quickly and without any changes to the existing applications
The vast majority of current eServices utilizing strong electronic identification are based on the TUPAS protocol. This old communication convention is no longer compliant with the new European Union regulations and legislation. After the final deadline at 30th September 2019 set by the Finnish Transport and Communications Agency Traficom, TUPAS is no longer allowed to be used for strong e-identification. IDMIG allows transition to new secure identification protocols (OIDC, SAML) only in hours, without a need to modify the existing applications based on TUPAS at all, or even to get knowledge of the new conventions.
How does it work?
- In the company internal network IDMIG is placed in the front of service application system, passing through the network traffic targeted to the eService. This allows it to convert target URLs and interface protocols on the fly while the application is being used, still keeping everything unchanged from the point of view of the service application.
- Current bank-specific TUPAS customer id:s and security keys are configured for IDMIG, as well as account information and keys for the new identification protocols (Open ID Connect, SAML) for the selected identification broker service, or several of them.
- In the identification broker service the identification request can the forwarded directly to the chosen identification method. This allows the end user experience remain unchanged, despite the underlying technology switches completely.
- In the company network IDMIG is located in a segment where the network traffic between it and the system executing the eService application takes place in the internal or otherwise secured network only, or even locally inside a single server. This approach is compliant with the new Traficom requirements, as well as the European Union eIDAS regulation, since the old TUPAS protocol remains in internal use only.
Both existing and new eService applications are connected to the identification broker services or directly to identification services via IDMIG configuration settings. Identification transactions can be rerouted from one provider to another by a simple settings change. Agreement configuration and accounts of several different eServices can be managed from a single interface, as well as browse transaction statistics and recorded logs.
System requirements
- IDMIG can be installed on a LINUX platforms, as well as on Microsoft Windows, either on its own physical or virtual machine or on the same server with the actual eService application. The only constraint is that the network traffic between the IDMIG system and the service application must happen in the company private network, or over a connection with a private security level (VPN bridging).
- System requirements depend on the required network traffic throughput. In practice even a base level LINUX virtual machine with one CPU and 2 Gb RAM is able to handle quite extensive transaction load towards the service application.
- Multiple IDMIG instances may be set up to raise fault tolerance and also to implement load sharing.
We are happy to tell more about this solution.
Tel. +358 50 431 2611
jarmo.haara@identer.fi