D5.5 IAM Reference Component Library

CREDENTIAL

Contributing Partners 

AIT, ATOS, FOKUS, TUG, SIC

Executive Summary 

This report documents the second iteration implementation of CREDENTIAL Wallet components. These components provide the core functionalities that enable the integration of the pilot applications and subsequently the piloting phases. The implementation follows the functional design detailed in D5.1. We split the functionality into basic building blocks to achieve a modular and open architecture.
First, this deliverable provides an overview of the components and their most important interaction processes. Then, we go into further detail, where we define the architecture of the individual components, specify their APIs and describe the interactions between these components. By relying on open standards, we facilitate and simplify integration with existing solutions. In this report, we describe the implementation and interaction of three different component categories:

1) Identity Management:
• The Account Management Service enables users to register and manage their account.
• Through the Authentication Service, users are able to be authenticated towards a CREDENTIAL Wallet account.
• The Identity Provider allows external service providers to authenticate users and obtain attributes about them, given the user consent.

2) Access Management:
• The Access Management Service evaluates these policies to decide if a requester should be granted access to data.
• The Request Permission Service makes it possible to request read or write access rights to the data stored in another user’s account.
• In the Re-Encryption Key Database, the user-generated re-encryption keys are stored, which enable the data sharing process and – additionally to the user’s policy – represent the user’s consent.
• The Access Control Filter intercepts incoming requests and enforces the authorization decision of the Access Management Service.

3) Further Services:
• Via the Notification Service, participants in the CREDENTIAL system can be reached asynchronously, such as through a push notification.
• The Data Management Service enables users to upload and organize their data, as well as share it with other parties.
• Thanks to the Audit Service the access to the user’s data is monitored and the most important operation process is stored in files by component.

The implementation described in this report represents the the second-iteration implementation of core components of the CREDENTIAL Wallet. While the focus lies on identity and access management components, we also describe additionally required services to store and share data, as well as communication systems. For these components, we provide component architectures and interface descriptions, as well as interactions within and between components.