Scottish Government – Identity Alpha

The Client

Digital Identity Scotland Programme Board oversees the programme governance for the delivery of the Scottish Government Online Identity Assurance Programme Plan, which sets out the actions to deliver the Scottish Government Digital Strategy commitment to work with stakeholders, privacy interests and members of the public to develop a robust, secure and trustworthy mechanism by which an individual member of the public can demonstrate their identity online (to access public sector digital services).

The Scottish Government Digital Identity Scotland Programme Board has the remit to deliver:

“A robust, secure and trustworthy mechanism by which an individual member of the public can demonstrate their identity online”

In support of this aim, Scottish Government engaged several partners to deliver PoC (Proof of Concept) digital identity functionality to enable assessment of modern technologies vis-à-vis their suitability for deployment at scale, across public services and for all citizens of Scotland.

The Challenge

From a citizen’s perspective, being able to utilise an existing digital identity to conduct their business in a digital world is very important. A digital identity makes the individual more productive online allowing both control over who receives their personal data in addition to making the provision of their personal data to a service much more effective and secure.

In parallel, service providers, such as Social Security Scotland, need to have confidence in the identity of the citizen accessing their services balanced with a seamless and productive user experience.

Service providers need to able to efficiently onboard to an identity assurance service with a single technical connection giving access to multiple identity providers (IdPs) and receiving responses from identity providers converted into a standard format for easy consumption.

The Solution

Condatis led the delivery of the underlying digital identity platform – an integration layer that enables rapid and straightforward “wiring-up” of digital services with identity providers and thereby providing service access to citizens.

The integration layer demonstrates how citizens can assert their identity to Scottish Government and Local Authority Services using a digital identity created through their Identity Provider.

As a straw man, Condatis identified six types of user journey for consideration as part of the POC, including two where a citizen initially uses a social media identity (Facebook, Google, Microsoft) to access digital government services. For the POC, the social media digital identities would be uplifted to establish a higher level of assurance by using a manual Vouching service, whereby the citizen elects to attend a physical location to present physical identity evidence.

Condatis’ PoC actually demonstrated the following use-cases:

• User signs-in to North Lanarkshire demonstration application with their myaccount identity
• User signs-in to North Lanarkshire demonstration application with their Post Office identity
• User signs-in to Social Security demonstration application with their myaccount identity
• User signs-in to Condatis third party test harness with their myaccount identity
• User sign-in to Condatis third party test harness with their Post Office identity

Achievement of these use-cases also showing:

• Ease of integration and interoperability with digital public services (relying party applications):
  • Scottish Social Security
  • North Lanarkshire Council

• Ease of integration and interoperability with digital identity providers:
  • myaccount
  • Post Office

• Suitability of Microsoft Azure cloud technology, demonstrating:
  • Value for money
  • Ease of set-up and configuration
  • Security and resilience
  • Ability to scale

Based upon the output from the Discovery project, Condatis proposed to create a series of authentication journeys on Microsoft Azure’s AD B2C cloud identity service.

The Benefits

Through the identity capacity of Microsoft Azure AD B2C:

• Users can take advantage of the ability to ‘Bring Your Own Identity’, whereby an existing digital identity can be used to allow the user to assert their identity to Scottish Government.
• Users can be provided with a ‘Scottish Government Digital Identity’, whereby the user chooses to uplift their social media identity and create a new account appropriate to the required level of assurance.
• Users can uplift their level of assurance by utilising a Vouching service, where a user presents physical evidence in a face-to-face appointment with a government official.
• Users can use the uplifted level of assurance to satisfy the service providers requirements as the Relying Party (RP).
• The Scottish Government would support the provision of attributes to the RP with the user’s express consent where these attributes could be source from the use’s IDP, personal data store or other third-party sources.

The full findings of the Alpha project were captured in an OIX whitepaper titled “Scottish Government DIS (OIA) – Sitekit Proof of Concept” authored by Jim Lound, Identity Product Owner at Condatis.