it:ad:wfiam:home

IT:AD:WFIAM

* (UP)
  • Reduce operation and development costs by reducing complexity.
  • Improve interoperability by developing authentication and attribute systems that can be used in more scenarios.
  • Improve security by divulging confidential information only as required.
  • Improving data quality by evidenced information.

* Common over Custom: where possible design for a system * Automation over Operation: where possible, develop towards a User experience flow that does not require asking about Context, or other scenarios that require user input.

  • On B2C:
  • B2C's business model is bridging to general IdPs, not solve edge Education cases, and therefore will not add flows to manage Context choice.
  • IdPs outside of our control will not add flows to provide choice of context.
  • This implies that either Context Flow can only be done using WFIAM, and therefore B2C is superfluous if we are using only one IdP, or Context (School) should be handled as a secondary step, post Authentication.
  • Issuance of Sensitive Claims should be limited beyond those accepted by the End User. This implies that embedding Scholastic/Career identifiers/rank, etc. should therefore not be the default behaviour of B2C. Or it must be encrypted, which has the risk of causing integration propblems with some 3rd party services.
  • The legacy ability of ESAA – repeated in WFIAM – to select Context (and therefore Roles) during Signup should not be the basis of current and future IDA integration using OIDC as it is not what OIDC supports by default.
    • Specialized secondary Resource Services would be the most decoupled approach.


!includeurl http://skysigal.com/_media/resources/configuration/plantuml/minimalist.txt

title Optional ESL OIDC Brokering

component "Resource Client" as RC
component "Resource Server" as RS

frame ESL {

together {
component "OIDC Broker" as B2C
interface "Auth" as B2CAuth
interface "Profile" as B2CProfile
B2CAuth -DOWN- B2C
B2CProfile -DOWN- B2C
}
together {
component "SocialIdPs" as Social
interface "Auth" as SocialAuth
interface "Profile" as SocialProfile
SocialAuth -DOWN- Social
SocialProfile -DOWN- Social
}

together {
component WFIAM
interface "Auth" as WFIAMAuth
interface "Profile" as WFIAMProfile
interface "Legacy Context Selector UI" as WFIAMContext

WFIAMAuth -DOWN- WFIAM
WFIAMProfile -DOWN- WFIAM
WFIAMContext -DOWN- WFIAM

note right of WFIAMContext
Legacy UI is accessed during
signin via SAML to embed
Claims. But this legacy step
need not be continued as a
WFIAM service.
end note

}

together {
component "IDA Metadata Server" as IDAX
interface "Context" as IDAXContext
note right of IDAXContext
UX, as requiring input
end note
interface "EOI" as IDAXEOI
IDAXContext -DOWN- IDAX
IDAXEOI -DOWN- IDAX
}



RC -DOWN-> B2CAuth
RC -DOWN-> B2CProfile
B2C -DOWN-> SocialAuth
B2C -DOWN-> WFIAMAuth
B2C -DOWN-> SocialProfile
B2C -DOWN-> WFIAMProfile

RC -DOWN- IDAXEOI
RC -DOWN- IDAXContext
RC -DOWN- RS


note right of IDAX
Can be WFIAM or external
Service to allow for any
IdP. EIther way, acting
as just another Resource
Server
end note