REALME RE-PLATFORMING - AGENCY ENGAGEMENT PACK READINESS COMPONENT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RealMe® Re-Platforming Agency Engagement Pack Readiness Component Version 1.0 (FINAL) March 2021 UNCLASSIFIED
Revision History Version Date Description of changes 0.1 16 January 2020 Initial draft 0.2 17 January 2020 Added further detail architectural detail 0.3 27 January 2020 Added DIA feedback 0.4 29 January 2020 Initial agency feedback included 0.5 3 February 2020 Final draft for release to all agencies 0.6 16 April 2020 Updated to include revised schedule 0.7 25 September 2020 Added step to obtain Mutual SSL certificates for services using Artifact binding. Amended Assert then Login flow. Updated to reflect revised schedule. 0.8 18 December 2020 Updated dates. RSA Token amendment . 1.0 23 March 2021 Final, includes updated timeline with final dates. UNCLASSIFIED
Agency Engagement Pack Table of Contents 1 BACKGROUND ............................................................................................................. 4 1.1 Benefits ............................................................................................................................... 4 1.1.1 System wide ................................................................................................................ 4 1.1.2 Agency wide ................................................................................................................ 5 2 PURPOSE .................................................................................................................... 6 3 ROLES AND RESPONSIBILITIES........................................................................................... 6 4 ENGAGEMENT PLAN ...................................................................................................... 7 4.1 Agency Engagement Timeline ............................................................................................. 7 5 PRE-REQUISITES ........................................................................................................... 8 6 HIGH LEVEL OVERVIEW .................................................................................................. 9 6.1 Who are UNIFY Solutions? .................................................................................................. 9 6.2 Proposed Solution ............................................................................................................... 9 6.3 High Level Onboarding Process........................................................................................... 9 6.3.1 Login and Assertion Services ..................................................................................... 10 6.3.2 iCMS/RCMS ............................................................................................................... 10 6.3.3 Help Desk .................................................................................................................. 10 6.4 RSA Tokens ........................................................................................................................ 11 7 APPENDIX ONE – ARCHITECTURE HIGH LEVEL OVERVIEW ...................................................... 12 8 APPENDIX TWO – HELPDESK ARCHITECTURE OVERVIEW ....................................................... 13 Readiness UNCLASSIFIED Page 3 of 13
1 Background The authentication and identity verification service RealMe® was launched in 2013. RealMe is a secure and privacy protected way for New Zealanders to access online services, prove their identity and assert personal information online. RealMe provides two key services, the login service and the identity verification, or assertion, service. The login service is an authentication service that allows a returning customer to reuse their login across multiple services. RealMe login currently provides access to 131 services from 40 organisations. Up to 2.5 million logins occur monthly and approximately 60-80% of logins are used to access more than one service. The RealMe Assertion service provides a person with an online identity, allowing them to prove (with their consent) that they are who they say they are online. The pieces of information belonging to a person are called attributes. Attributes are currently provided by the Department of Internal Affairs Identity Verification Service (verified identity – name, date of birth, place of birth and gender) and the New Zealand Post Address Verification Service (residential address). Providing the verification services separately ensures that a person’s attributes are not stored within RealMe itself. The RealMe Assertion service currently provides identity services to 17 public and private sector clients. There is over 820,000 verified identities and the service undertakes over 30,000 successful identity transactions per month. The current RealMe platform is hosted ‘on premise’ and requires significant three-yearly capital investment to upgrade expiring platform components. After consideration of the ongoing costs required to maintain the current platform, the government and DIA’s strategic direction to consider ‘cloud first’ technology options and the potential benefits of a cloud based platform in terms of faster development, improved security and reduced costs, DIA made a decision to move the RealMe service to an offshore, cloud based platform. DIA selected Microsoft Azure Active Directory B2C as the new platform. DIA has an existing enterprise cloud services agreement with Microsoft, which includes its use of the Azure platform. This agreement incorporates the standard Online Services Terms (which includes a separate Data Protection Addendum) that apply to DIA’s use of Azure. In late 2019 DIA underwent an RFP process to procure an implementation partner, and in December 2019 engaged Unify Solutions NZ Ltd (UNIFY) to carry out this transition, as well as provide ongoing service support. The goal is to have RealMe moved to the new platform early in the second quarter of 2021. 1.1 Benefits The RealMe RePlatforming Project provides the following system and agency wide benefits: 1.1.1 System wide • Significantly reduces operational and capex costs. • Improved security and privacy capability. • Fit for purpose / ability to enable future needs. Readiness UNCLASSIFIED Page 4 of 13
1.1.2 Agency wide • Reduced effort to integrate / reduces complexity / costs. • Enables better product development. • Enables federated login. • Easier to adopt attributes (e.g. citizenship Te Ara Manaki programme). • With custom code (current system) hard to make changes to meet agency requirements, new system more adaptable. • Helpdesk o new helpdesk will remove need for staff tokens & management as login will be federated with agency login. o simpler / easier user interface. Readiness UNCLASSIFIED Page 5 of 13
2 Purpose The purpose of the Agency Engagement Pack is to provide agencies with a good understanding of the purpose, objective, approach, timelines, process and mechanism for integrating applications to the new RealMe® platform. The intended audience for this pack includes agency business owners, business analysts, developers and vendor representatives. This is the first of three artefacts which, together, form the Agency Engagement Pack: Artefact Contents Agency Readiness Pack (this • Solution Overview document) • Roles and Responsibilities • Pre-requisites • Engagement Plan (high level) Agency Onboarding Pack • Engagement Plan (revised) • Configuration Items • Integration and User Acceptance Testing • Rollout across Higher Environments Service Management Pack • Service Transition • Service Operation • Frequently Asked Questions A draft of this document was presented to the first RealMe RePlatforming workshop on 5 February 2020. 3 Roles and Responsibilities The following roles and responsibilities regarding agency engagement have been defined: Responsible Role DIA • Lead interactions with agencies • Facilitate integration workshops • Lead/manage the integration process in all environments • Complete Certification and Assurance for the replatformed RealMe® service and provide related documentation and guidance to agencies • Complete a Privacy Impact Assessment and share relevant aspects with the agencies • Complete Performance and Penetration Testing in the RealMe Integration Test Environment (ITE) and share results with the agencies. • Provide technical documentation, including the Solution Architecture Design document, to the agencies UNIFY • Participate in agency workshops and follow up meetings as required • Support DIA in delivering the processes to implement and test agency integrations • Provide troubleshooting assistance and advice to support successful agency integrations Agencies • Participate in integration workshops and follow up meetings as required • Integration and Testing of applications using the RealMe ITE and, optionally, the Message Testing Site (MTS) and Early Integration Test (EIT). • Production implementation • Complete any Certification and Assurance as required as assessed by your agency Readiness UNCLASSIFIED Page 6 of 13
4 Engagement Plan DIA commenced formal engagement with the agencies in February 2020. Initial engagement was in the form of two workshops as follows: Date Purpose 5 February 2020 (workshop #1) Initiate discussions regarding the application onboarding exercise and walkthrough the first draft of the ‘Agency Readiness Pack’ (this document) 19 February 2020 (workshop #2) A follow up from Workshop #1 to provide an update on the action items and inputs from previous workshop, a walkthrough of the Engagement and an update on the timelines and overall engagement plan. The final version of the Agency Engagement Pack will be issued in early January 2021 to coincide with ITE Replatforming, however, there may be updates to these documents prior to this. Agencies will be notified when significant updates are available, and these will be published on the RealMe® Developer's Website. For those agencies with more complex integrations, additional workshops may be required to ensure all parties understand the changes required to support the replatformed RealMe service. If you have any questions regarding any aspect of the Engagement Plan and/or the replatforming of RealMe please email integrations@realme.govt.nz. 4.1 Agency Engagement Timeline The following diagram and table depict a high-level view of the agency engagement timeline. Agencies will be notified should there be any change to the timeline. Key Agency Dates Date Purpose 25 September 2020 Issue updated Agency Engagement Pack (including the Service Management Pack) 16 October 2020 Publish Security and Privacy information for agencies Readiness UNCLASSIFIED Page 7 of 13
Date Purpose 9 November 2020 Early Integration Testing for complex agencies1 30 November 2020 MTS build complete 26 January 2021 to 26 March 2021 Agency Integration Testing (ITE) and drop in workshops 1 March 2021 Help Desk Material available 25 March 2021 Issue final Agency Engagement Pack 25 March 2021 Agency C&A Session with Quantum 29 March 2021 Production Onboarding Bundles published plus minor update to Onboarding Pack to provide reference to the new bundle. 11 April 2021 Agency Replatforming 5 Pre-requisites In order to ensure production readiness, each agency must meet the following pre-requisites for each of their respective applications. Completed Description ☐ Confirm that RealMe® integration for your application is still required. If not, no further integration steps are required, and your application will not be migrated to the replatformed RealMe environment. ☐ Your application must be successfully integrated with the existing RealMe ITE environment. ☐ Your agency must send at least one technical representative with RealMe integration experience to the two RePlatforming workshops. ☐ Review and, where necessary, update information related to your application when provided by DIA as follows: • Key contact information. • Details of RealMe services which are currently being consumed. • SAML component used by your application, for further information refer to the list of known RealMe SAML 2.0 components. • EntityID(s) of the connected application environments in both ITE and Production. ☐ Upon receipt of the Onboarding Pack: • Perform tests to ensure that the new endpoints are accessible. If not, request appropriate firewall change(s) and, once applied, retest. • Integrate and successfully test application connectivity against the RePlatformed Integration Testing Environment. ☐ For those agencies with integrations to the existing igovt Context Mapping Service (iCMS), RealMe Context Mapping Service (RCMS), HelpDesk Web Application or HelpDesk Web Service. • Participate in additional workshops to understand the application changes which are required to support the RePlatformed service(s). • Amend your application(s) to consume the RePlatformed service(s). • Regression test your application. 1 Complex agencies are deemed to be those who have services which use the Assert then Login flow and/or run their own RealMe Help Desk. This environment will not be available post go-live. Readiness UNCLASSIFIED Page 8 of 13
6 High Level Overview 6.1 Who are UNIFY Solutions? UNIFY has extensive experience in developing Identity and Access Management solutions for numerous customers across a wide range of industry sectors, including a significant number of government agencies. Most importantly, UNIFY has considerable experience with the Azure AD B2C platform that has been selected by DIA to underpin the re-platformed RealMe® service. 6.2 Proposed Solution The RealMe Login Service and RealMe Assertion Service will be redeveloped using Microsoft Azure AD B2C. The major solution components required to meet the functional and non-functional requirements of the RealMe platform are listed below. Also refer to Appendix One – Architecture High Level Overview on page 12 of this document for an overview diagram. • RealMe Login Service2 – developed using Microsoft Azure AD Identity Experience Framework, SAML 2.0 and other Azure Services. • RealMe Assertion Service1 – developed using Microsoft Azure AD Identity Experience Framework, SAML 2.0 and other Azure Services • RealMe Context Mapping Service (RCMS) – developed using Azure AD B2C and Microsoft Azure Web API, Json Web Token (JWT) and other Azure Services. • Help Desk Web Application - highly scalable and highly available web application provided to the agency service desk users to support the users in managing RealMe credentials such as password reset, updating contact details etc. • Data Migration – all user records and three years of audit and event history will be migrated. • Disaster Recovery - Azure AD's geographically distributed architecture combines extensive monitoring, automated rerouting, failover, and recovery capabilities, which deliver company- wide availability and performance to customers. If you require further detail regarding the solution, please contact business@realme.govt.nz. 6.3 High Level Onboarding Process The replatformed ITE RealMe will be available to agencies in late January 2020 for integration testing. This will run in parallel with the existing RealMe ITE. The existing RealMe ITE will be made unavailable once the replatforming of RealMe is complete. The Production go-live will be a ‘single’ cutover, i.e. the replatformed RealMe environment will be stood up for services to integrate with during a specific change window and the existing RealMe environment will be made unavailable. This approach has been determined to be the best option primarily due to the sheer volume of data that needs to be migrated from one fundamentally different system to another. Further information regarding the data migration process will be made available on the RealMe Developer’s website in October 2020. EIT will be available for complex agencies to perform early integration testing in early November 2020. Once initial integration testing in EIT has been completed successfully, optional ‘self-service’ integration to MTS will be available for all agencies (to be confirmed but likely to be late November). 2 SAML bindings of POST and Artifact will continue to be supported. Readiness UNCLASSIFIED Page 9 of 13
6.3.1 Login and Assertion Services The process for onboarding an application which uses either the Login Service or the Assertion Service will require the application to update a new Identity Provider (IdP) metadata file. This file will contain a new certificate and new endpoints for RealMe services. Depending on your network configuration, some agencies may also require amended firewall rules3 to allow their application to access the new endpoints. Further information will be provided as part of the Agency Onboarding Pack however the process will be very similar to the RealMe certificate renewal process (most recently in 2019). There will be no requirement to supply new Service Provider metadata files for the ITE and Production environments as these will be migrated as part of the replatforming exercise. Note: agencies integrating to the MTS and EIT environments will be expected to provide an amended Service Provider metadata file using the template which will be included in the ‘RealMe Replatforming Bundle’ for that environment. Agencies who are using Artifact binding will be requested to supply their Mutual SSL certificates for both the ITE and Production environments. This is because the current RealMe utilises the certificate thumbprint only whereas the replatformed RealMe uses the entire certificate. 6.3.2 iCMS/RCMS The process for onboarding an application which use either iCMS/RCMS will require a change. The change required will vary depending on your use of iCMS/RCMS. Agencies who use these services will be contacted as part of the engagement process to ensure that all parties understand the changes required to support the replatformed service. We will support you throughout the change process. Applications which use the Assert and Login flow are no longer required to interact with iCMS/RCMS and will no longer be required to decrypt an Opaque Token as per earlier versions of this document. Instead, the RealMe Assertion Service will issue the user’s FLT for agency as the NameID within the Subject of the Assertion. This is the same method that is currently used by the Login service. Applications which use iCMS or RCMS for seamless login or extended login use cases will require the following changes: • Applications which are using iCMS will need to integrate to the new RCMS service. iCMS will be decommissioned. • A change to the RCMS endpoint. • Minor changes to integrate with RCMS using the standardised OAuth2.0 token exchange profile. 6.3.3 Help Desk Agencies who use either the Help Desk Web Application or Web Service will be contacted as part of the engagement process to ensure that all parties understand the changes required to support the replatformed service. We will support you throughout the change process. 6.3.3.1 Web Application The existing RealMe Help Desk application will be decommissioned and replaced with a new web application which will provide the same functionality as the existing RealMe Help Desk web application. Agencies who use the Help Desk application will need to federate their internal active directory to the new RealMe Helpdesk Federation hub. This will streamline the setup of Help Desk users, allow 3 This will be based on DNS based routing or mutual SSL authentication between applications and RealMe services. Readiness UNCLASSIFIED Page 10 of 13
agencies to provide their own internal governance and remove the need for the use of RSA tokens. Refer to Appendix Two – Helpdesk Architecture Overview on page 13 of this document for more information. 6.3.3.2 Web Service The Helpdesk Web Service will be decommissioned. Agencies who use this service will be contacted as part of the engagement process to support you through the change process and to ensure that all parties understand the changes required to support the RePlatformed service. We will support you throughout the change process. 6.4 RSA Tokens DIA has assessed the use of RSA Tokens and the decision has been made to integrate the replatformed RealMe with the existing RSA Token Server. Agencies who currently use RSA Tokens for applications other than the RealMe Help Desk will not need to take any further action. Readiness UNCLASSIFIED Page 11 of 13
Agency Engagement Pack 7 Appendix One – Architecture High Level Overview Relying parties DIA MBIE MSD IR Banks Others NZ Public SAMLv2.0 SAMLv2.0 WebSSO Endpoint WebSSO Endpoint Agency Service Desk RealMe Assertion DIA Azure AD B2C RealMe Login Service Service RealMe Credentials Store Graph API MBIE RealMe RealMe Azure Resources Front Door SAMLv2.0 Azure AD B2C HD Access IdP initiated SSO Unify Business RealMe Helpdesk Monitor Federation Hub RealMe Key Vault IR RealMe RealMe System RealMe Helpdesk RealMe RealMe Extension Insights Monitor Webapp Context Mapping Service RealMe Functions App MSD Storage Account RealMe Health and Performance Check Access through DIA - Microsoft Agency Login Azure Tenancy RealMe Resource Group Service Desk Operators External Integration RealMe Consent Service Identity Verification Service Address Verification Service Readiness UNCLASSIFIED Page 12 of 13
Agency Engagement Pack 8 Appendix Two – Helpdesk Architecture Overview Agency Service Desk 1. Access RealMe HD Web app DIA MBIE IR MSD Agency Service Desk Operator 2. SAML IdP Initiated SSO Azure AD B2C SAMLv2.0 SP Agency IdP Metadata Configuration HD Operators RealMe Helpdesk Federation Hub Credentials Store 3. redirect with operator token RealMe Front Door RealMe Azure AD B2C 4. HD Landing Page Get User Details Graph API RealMe Azure RealMe Helpdesk Resources Webapp implements Recover username Reset password Search user User summary Update contact Update 2FA Transaction details details Methods RealMe Helpdesk Business Functions Readiness UNCLASSIFIED Page 13 of 13
You can also read