D5.3 IAM Early Prototype Library

Contributing Partners

AIT, ATOS, FOKUS, TUG, SIC

Executive Summary 

This report documents the first iteration implementation of CREDENTIAL Wallet components. These components provide the core functionalities that enable the integration of the pilot applications and subsequently the piloting phases. The implementation follows the functional design detailed in D5.1. We split the functionality into basic building blocks to achieve a modular and open architecture.
First, this deliverable provides an overview of the components and their most important interaction processes. Then, we go into further detail, where we define architecture of the individual components, specify their APIs and describe the interactions between these components. By relying on open standards, we facilitate and simplify integration with existing solutions. In this report, we describe the implementation and interaction of three different component categories:
1) Identity Management:

*The Account Management Service enables users to register and manage their account.
*Through the Authentication Service, users are able to be authenticated towards a CREDENTIAL Wallet account.
*The Identity Provider allows external service providers to authenticate users and obtain attributes about them, given the user consent.

2) Access Management:

*The Request Permission Service makes it possible to request read or write access rights to the data stored in another user’s account.
*In the Re-Encryption Key Database, the user-generated re-encryption keys are stored, which enable the data sharing process and – additionally to the user’s policy – represent the user’s consent.
*The Access Management Service evaluates these policies to decide if a requester should be granted access to data.
*The Access Control Filter intercepts incoming requests and enforces the authorization decision of the Access Management Service. 

3) Further Services:

*The Data Management Service enables users to upload and organize their data, as well as share it with other parties.
*Via the Notification Service, participants in the CREDENTIAL system can be reached asynchronously, such as through a push notification.

The implementation described in this report represents the foundation of the CREDENTIAL Wallet, upon which we will base further developments in the second iteration. These further developments will make the prototype services more stable and production ready. Furthermore, we will integrate additional functionality inspired from the ongoing work related to usability, privacy, and security mechanisms.