REALME RE-PLATFORMING - AGENCY ENGAGEMENT PACK READINESS COMPONENT

Page created by Ricardo Rojas
 
CONTINUE READING
RealMe® Re-Platforming
Agency Engagement Pack
Readiness Component

                                  Version 1.0 (FINAL)
                                         March 2021

                   UNCLASSIFIED
Revision History
Version   Date                   Description of changes
0.1       16 January 2020        Initial draft
0.2       17 January 2020        Added further detail architectural detail
0.3       27 January 2020        Added DIA feedback
0.4       29 January 2020        Initial agency feedback included
0.5       3 February 2020        Final draft for release to all agencies
0.6       16 April 2020          Updated to include revised schedule
0.7       25 September 2020      Added step to obtain Mutual SSL certificates for
                                 services using Artifact binding.
                                 Amended Assert then Login flow.
                                 Updated to reflect revised schedule.
0.8       18 December 2020       Updated dates.
                                 RSA Token amendment .
1.0       23 March 2021          Final, includes updated timeline with final dates.

                              UNCLASSIFIED
Agency Engagement Pack

                                   Table of Contents
1    BACKGROUND ............................................................................................................. 4
     1.1    Benefits ............................................................................................................................... 4
       1.1.1       System wide ................................................................................................................ 4
       1.1.2       Agency wide ................................................................................................................ 5
2    PURPOSE .................................................................................................................... 6
3    ROLES AND RESPONSIBILITIES........................................................................................... 6
4    ENGAGEMENT PLAN ...................................................................................................... 7
     4.1    Agency Engagement Timeline ............................................................................................. 7
5    PRE-REQUISITES ........................................................................................................... 8
6    HIGH LEVEL OVERVIEW .................................................................................................. 9
     6.1    Who are UNIFY Solutions? .................................................................................................. 9
     6.2    Proposed Solution ............................................................................................................... 9
     6.3    High Level Onboarding Process........................................................................................... 9
       6.3.1       Login and Assertion Services ..................................................................................... 10
       6.3.2       iCMS/RCMS ............................................................................................................... 10
       6.3.3       Help Desk .................................................................................................................. 10
     6.4    RSA Tokens ........................................................................................................................ 11
7    APPENDIX ONE – ARCHITECTURE HIGH LEVEL OVERVIEW ...................................................... 12
8    APPENDIX TWO – HELPDESK ARCHITECTURE OVERVIEW ....................................................... 13

Readiness                                                     UNCLASSIFIED                                                        Page 3 of 13
1 Background
The authentication and identity verification service RealMe® was launched in 2013. RealMe is a
secure and privacy protected way for New Zealanders to access online services, prove their identity
and assert personal information online. RealMe provides two key services, the login service and the
identity verification, or assertion, service.
The login service is an authentication service that allows a returning customer to reuse their login
across multiple services. RealMe login currently provides access to 131 services from 40
organisations. Up to 2.5 million logins occur monthly and approximately 60-80% of logins are used to
access more than one service.
The RealMe Assertion service provides a person with an online identity, allowing them to prove
(with their consent) that they are who they say they are online. The pieces of information belonging
to a person are called attributes. Attributes are currently provided by the Department of Internal
Affairs Identity Verification Service (verified identity – name, date of birth, place of birth and gender)
and the New Zealand Post Address Verification Service (residential address). Providing the
verification services separately ensures that a person’s attributes are not stored within RealMe itself.
The RealMe Assertion service currently provides identity services to 17 public and private sector
clients. There is over 820,000 verified identities and the service undertakes over 30,000 successful
identity transactions per month.
The current RealMe platform is hosted ‘on premise’ and requires significant three-yearly capital
investment to upgrade expiring platform components. After consideration of the ongoing costs
required to maintain the current platform, the government and DIA’s strategic direction to consider
‘cloud first’ technology options and the potential benefits of a cloud based platform in terms of
faster development, improved security and reduced costs, DIA made a decision to move the RealMe
service to an offshore, cloud based platform.
DIA selected Microsoft Azure Active Directory B2C as the new platform. DIA has an existing
enterprise cloud services agreement with Microsoft, which includes its use of the Azure platform.
This agreement incorporates the standard Online Services Terms (which includes a separate Data
Protection Addendum) that apply to DIA’s use of Azure.
In late 2019 DIA underwent an RFP process to procure an implementation partner, and in December
2019 engaged Unify Solutions NZ Ltd (UNIFY) to carry out this transition, as well as provide ongoing
service support. The goal is to have RealMe moved to the new platform early in the second quarter
of 2021.

1.1 Benefits
The RealMe RePlatforming Project provides the following system and agency wide benefits:
1.1.1 System wide
    •   Significantly reduces operational and capex costs.
    •   Improved security and privacy capability.
    •   Fit for purpose / ability to enable future needs.

Readiness                                                   UNCLASSIFIED
                                                            Page 4 of 13
1.1.2 Agency wide
   •   Reduced effort to integrate / reduces complexity / costs.
   •   Enables better product development.
   •   Enables federated login.
   •   Easier to adopt attributes (e.g. citizenship Te Ara Manaki programme).
   •   With custom code (current system) hard to make changes to meet agency requirements,
       new system more adaptable.
   •   Helpdesk
           o new helpdesk will remove need for staff tokens & management as login will be
                federated with agency login.
           o simpler / easier user interface.

Readiness                                            UNCLASSIFIED
                                                     Page 5 of 13
2 Purpose
The purpose of the Agency Engagement Pack is to provide agencies with a good understanding of
the purpose, objective, approach, timelines, process and mechanism for integrating applications to
the new RealMe® platform.
The intended audience for this pack includes agency business owners, business analysts, developers
and vendor representatives.
This is the first of three artefacts which, together, form the Agency Engagement Pack:
 Artefact                               Contents
 Agency Readiness Pack (this            •    Solution Overview
 document)                              •    Roles and Responsibilities
                                        •    Pre-requisites
                                        •    Engagement Plan (high level)
 Agency Onboarding Pack                 •    Engagement Plan (revised)
                                        •    Configuration Items
                                        •    Integration and User Acceptance Testing
                                        •    Rollout across Higher Environments
 Service Management Pack                •    Service Transition
                                        •    Service Operation
                                        •    Frequently Asked Questions
A draft of this document was presented to the first RealMe RePlatforming workshop on 5 February
2020.

3 Roles and Responsibilities
The following roles and responsibilities regarding agency engagement have been defined:
 Responsible Role
 DIA         • Lead interactions with agencies
                •   Facilitate integration workshops
                •   Lead/manage the integration process in all environments
                •   Complete Certification and Assurance for the replatformed RealMe® service and
                    provide related documentation and guidance to agencies
                •   Complete a Privacy Impact Assessment and share relevant aspects with the agencies
                •   Complete Performance and Penetration Testing in the RealMe Integration Test
                    Environment (ITE) and share results with the agencies.
                •   Provide technical documentation, including the Solution Architecture Design
                    document, to the agencies
 UNIFY          •   Participate in agency workshops and follow up meetings as required
                •   Support DIA in delivering the processes to implement and test agency integrations
                •   Provide troubleshooting assistance and advice to support successful agency
                    integrations
 Agencies       •   Participate in integration workshops and follow up meetings as required
                •   Integration and Testing of applications using the RealMe ITE and, optionally, the
                    Message Testing Site (MTS) and Early Integration Test (EIT).
                •   Production implementation
                •   Complete any Certification and Assurance as required as assessed by your agency

Readiness                                                  UNCLASSIFIED
                                                           Page 6 of 13
4 Engagement Plan
DIA commenced formal engagement with the agencies in February 2020. Initial engagement was in
the form of two workshops as follows:
 Date                                  Purpose
 5 February 2020 (workshop #1)         Initiate discussions regarding the application onboarding
                                       exercise and walkthrough the first draft of the ‘Agency
                                       Readiness Pack’ (this document)
 19 February 2020 (workshop #2)        A follow up from Workshop #1 to provide an update on the
                                       action items and inputs from previous workshop, a
                                       walkthrough of the Engagement and an update on the
                                       timelines and overall engagement plan.
The final version of the Agency Engagement Pack will be issued in early January 2021 to coincide
with ITE Replatforming, however, there may be updates to these documents prior to this. Agencies
will be notified when significant updates are available, and these will be published on the RealMe®
Developer's Website.
For those agencies with more complex integrations, additional workshops may be required to ensure
all parties understand the changes required to support the replatformed RealMe service.
If you have any questions regarding any aspect of the Engagement Plan and/or the replatforming of
RealMe please email integrations@realme.govt.nz.
4.1 Agency Engagement Timeline
The following diagram and table depict a high-level view of the agency engagement timeline.
Agencies will be notified should there be any change to the timeline.

Key Agency Dates
 Date                                  Purpose
 25 September 2020                     Issue updated Agency Engagement Pack (including the Service
                                       Management Pack)
 16 October 2020                       Publish Security and Privacy information for agencies

Readiness                                                UNCLASSIFIED
                                                         Page 7 of 13
Date                                  Purpose
    9 November 2020                       Early Integration Testing for complex agencies1
    30 November 2020                      MTS build complete
    26 January 2021 to 26 March 2021      Agency Integration Testing (ITE) and drop in workshops
    1 March 2021                          Help Desk Material available
    25 March 2021                         Issue final Agency Engagement Pack
    25 March 2021                         Agency C&A Session with Quantum
    29 March 2021                         Production Onboarding Bundles published plus minor update to
                                          Onboarding Pack to provide reference to the new bundle.
    11 April 2021                         Agency Replatforming

5 Pre-requisites
In order to ensure production readiness, each agency must meet the following pre-requisites for
each of their respective applications.
    Completed       Description
           ☐        Confirm that RealMe® integration for your application is still required. If not, no
                    further integration steps are required, and your application will not be migrated to
                    the replatformed RealMe environment.
           ☐        Your application must be successfully integrated with the existing RealMe ITE
                    environment.
           ☐        Your agency must send at least one technical representative with RealMe
                    integration experience to the two RePlatforming workshops.
           ☐        Review and, where necessary, update information related to your application when
                    provided by DIA as follows:
                    • Key contact information.
                    • Details of RealMe services which are currently being consumed.
                    • SAML component used by your application, for further information refer to the
                        list of known RealMe SAML 2.0 components.
                    • EntityID(s) of the connected application environments in both ITE and
                        Production.
           ☐        Upon receipt of the Onboarding Pack:
                    • Perform tests to ensure that the new endpoints are accessible. If not, request
                        appropriate firewall change(s) and, once applied, retest.
                    • Integrate and successfully test application connectivity against the RePlatformed
                        Integration Testing Environment.
           ☐        For those agencies with integrations to the existing igovt Context Mapping Service
                    (iCMS), RealMe Context Mapping Service (RCMS), HelpDesk Web Application or
                    HelpDesk Web Service.
                    • Participate in additional workshops to understand the application changes which
                        are required to support the RePlatformed service(s).
                    • Amend your application(s) to consume the RePlatformed service(s).
                    • Regression test your application.

1
 Complex agencies are deemed to be those who have services which use the Assert then Login flow and/or
run their own RealMe Help Desk. This environment will not be available post go-live.

Readiness                                                   UNCLASSIFIED
                                                            Page 8 of 13
6 High Level Overview
6.1 Who are UNIFY Solutions?
UNIFY has extensive experience in developing Identity and Access Management solutions for
numerous customers across a wide range of industry sectors, including a significant number of
government agencies. Most importantly, UNIFY has considerable experience with the Azure AD B2C
platform that has been selected by DIA to underpin the re-platformed RealMe® service.

6.2 Proposed Solution
The RealMe Login Service and RealMe Assertion Service will be redeveloped using Microsoft Azure
AD B2C. The major solution components required to meet the functional and non-functional
requirements of the RealMe platform are listed below. Also refer to Appendix One – Architecture
High Level Overview on page 12 of this document for an overview diagram.
•      RealMe Login Service2 – developed using Microsoft Azure AD Identity Experience Framework,
       SAML 2.0 and other Azure Services.
•      RealMe Assertion Service1 – developed using Microsoft Azure AD Identity Experience
       Framework, SAML 2.0 and other Azure Services
•      RealMe Context Mapping Service (RCMS) – developed using Azure AD B2C and Microsoft Azure
       Web API, Json Web Token (JWT) and other Azure Services.
•      Help Desk Web Application - highly scalable and highly available web application provided to the
       agency service desk users to support the users in managing RealMe credentials such as password
       reset, updating contact details etc.
•      Data Migration – all user records and three years of audit and event history will be migrated.
•      Disaster Recovery - Azure AD's geographically distributed architecture combines extensive
       monitoring, automated rerouting, failover, and recovery capabilities, which deliver company-
       wide availability and performance to customers.
If you require further detail regarding the solution, please contact business@realme.govt.nz.

6.3 High Level Onboarding Process
The replatformed ITE RealMe will be available to agencies in late January 2020 for integration
testing. This will run in parallel with the existing RealMe ITE. The existing RealMe ITE will be made
unavailable once the replatforming of RealMe is complete.
The Production go-live will be a ‘single’ cutover, i.e. the replatformed RealMe environment will be
stood up for services to integrate with during a specific change window and the existing RealMe
environment will be made unavailable. This approach has been determined to be the best option
primarily due to the sheer volume of data that needs to be migrated from one fundamentally
different system to another. Further information regarding the data migration process will be made
available on the RealMe Developer’s website in October 2020.
EIT will be available for complex agencies to perform early integration testing in early November
2020. Once initial integration testing in EIT has been completed successfully, optional ‘self-service’
integration to MTS will be available for all agencies (to be confirmed but likely to be late November).

2
    SAML bindings of POST and Artifact will continue to be supported.

Readiness                                                        UNCLASSIFIED
                                                                Page 9 of 13
6.3.1 Login and Assertion Services
The process for onboarding an application which uses either the Login Service or the Assertion
Service will require the application to update a new Identity Provider (IdP) metadata file. This file
will contain a new certificate and new endpoints for RealMe services. Depending on your network
configuration, some agencies may also require amended firewall rules3 to allow their application to
access the new endpoints. Further information will be provided as part of the Agency Onboarding
Pack however the process will be very similar to the RealMe certificate renewal process (most
recently in 2019).
There will be no requirement to supply new Service Provider metadata files for the ITE and
Production environments as these will be migrated as part of the replatforming exercise.
Note: agencies integrating to the MTS and EIT environments will be expected to provide an
amended Service Provider metadata file using the template which will be included in the ‘RealMe
Replatforming Bundle’ for that environment.
Agencies who are using Artifact binding will be requested to supply their Mutual SSL certificates for
both the ITE and Production environments. This is because the current RealMe utilises the
certificate thumbprint only whereas the replatformed RealMe uses the entire certificate.
6.3.2 iCMS/RCMS
The process for onboarding an application which use either iCMS/RCMS will require a change. The
change required will vary depending on your use of iCMS/RCMS. Agencies who use these services
will be contacted as part of the engagement process to ensure that all parties understand the
changes required to support the replatformed service. We will support you throughout the change
process.
Applications which use the Assert and Login flow are no longer required to interact with iCMS/RCMS
and will no longer be required to decrypt an Opaque Token as per earlier versions of this document.
Instead, the RealMe Assertion Service will issue the user’s FLT for agency as the NameID within the
Subject of the Assertion. This is the same method that is currently used by the Login service.
Applications which use iCMS or RCMS for seamless login or extended login use cases will require the
following changes:
     • Applications which are using iCMS will need to integrate to the new RCMS service. iCMS will
        be decommissioned.
     • A change to the RCMS endpoint.
     • Minor changes to integrate with RCMS using the standardised OAuth2.0 token exchange
        profile.
6.3.3 Help Desk
Agencies who use either the Help Desk Web Application or Web Service will be contacted as part of
the engagement process to ensure that all parties understand the changes required to support the
replatformed service. We will support you throughout the change process.
6.3.3.1      Web Application
The existing RealMe Help Desk application will be decommissioned and replaced with a new web
application which will provide the same functionality as the existing RealMe Help Desk web
application.
Agencies who use the Help Desk application will need to federate their internal active directory to
the new RealMe Helpdesk Federation hub. This will streamline the setup of Help Desk users, allow

3
    This will be based on DNS based routing or mutual SSL authentication between applications and RealMe services.

Readiness                                                         UNCLASSIFIED
                                                                 Page 10 of 13
agencies to provide their own internal governance and remove the need for the use of RSA tokens.
Refer to Appendix Two – Helpdesk Architecture Overview on page 13 of this document for more
information.
6.3.3.2 Web Service
The Helpdesk Web Service will be decommissioned. Agencies who use this service will be contacted
as part of the engagement process to support you through the change process and to ensure that all
parties understand the changes required to support the RePlatformed service. We will support you
throughout the change process.

6.4 RSA Tokens
DIA has assessed the use of RSA Tokens and the decision has been made to integrate the
replatformed RealMe with the existing RSA Token Server. Agencies who currently use RSA Tokens
for applications other than the RealMe Help Desk will not need to take any further action.

Readiness                                               UNCLASSIFIED
                                                       Page 11 of 13
Agency Engagement Pack

7 Appendix One – Architecture High Level Overview
                                                                                                                                                                                                          Relying parties

                                                                                   DIA                         MBIE                   MSD                         IR                    Banks                   Others
                                                             NZ Public

                                                                                                                        SAMLv2.0                                SAMLv2.0
                                                                                                                  WebSSO Endpoint                         WebSSO Endpoint
                       Agency Service Desk

                                                                                                                                                                RealMe Assertion
               DIA

                                                                                                                                                                                                                    Azure AD B2C
                                                                                                                       RealMe Login Service                         Service
                                                                                              RealMe
                                                                                          Credentials Store

                                                                                                   Graph API
               MBIE

                                                                                                                                           RealMe
                                                                                                                                                                                                        RealMe Azure Resources
                                                                                                                                         Front Door
                                              SAMLv2.0
                                                                  Azure AD B2C     HD Access
                                             IdP initiated
                                                  SSO                                                                                                                                                                               Unify Business
                                                                 RealMe Helpdesk                                                                                                                                                      Monitor
                                                                  Federation Hub
                                                                                                                                                                                                              RealMe Key Vault
               IR

                                                                                                                                                                                             RealMe              RealMe System
                                                                                    RealMe Helpdesk              RealMe                RealMe Extension                                      Insights               Monitor
                                                                                        Webapp           Context Mapping Service                                    RealMe
                                                                                                                                        Functions App
               MSD

                                                                                                                                                                Storage Account

                                                                                                                                                                                                                RealMe Health and
                                                                                                                                                                                                                Performance Check

            Access through                                       DIA - Microsoft
             Agency Login                                        Azure Tenancy                                                                                                                             RealMe Resource Group

       Service Desk
        Operators                                                                                                                                                                        External Integration

                                                                                                       RealMe Consent Service             Identity Verification Service           Address Verification Service

Readiness                                                                                         UNCLASSIFIED                                                                                                                            Page 12 of 13
Agency Engagement Pack

8 Appendix Two – Helpdesk Architecture Overview
                                                                                                                    Agency Service Desk
                            1. Access RealMe
                               HD Web app
                                                         DIA                      MBIE                         IR                       MSD
            Agency Service Desk
                Operator

                                                                                       2. SAML IdP Initiated SSO

                                       Azure AD B2C                                         SAMLv2.0 SP                                Agency IdP
                                                                                                                                        Metadata
                                                                                                                                      Configuration

                                                                                                                                                   HD Operators
                                      RealMe Helpdesk Federation Hub                                                                             Credentials Store
                                                                                      3. redirect with operator token

                                                                               RealMe
                                                                             Front Door                                                                                                   RealMe
                                                                                                                                                               Azure AD B2C

            4. HD Landing Page
                                                                                                                                Get User Details                              Graph API
                                                                       RealMe Azure          RealMe Helpdesk
                                                                        Resources                Webapp

                                                                                                  implements

                                                 Recover username                 Reset password                        Search user                   User summary

                                                                                 Update contact                          Update 2FA
                                                 Transaction details                details                               Methods

                                                                                                                             RealMe Helpdesk Business Functions

Readiness                                                                               UNCLASSIFIED                                                                                                              Page 13 of 13
You can also read