REALME RE-PLATFORMING - AGENCY ENGAGEMENT PACK READINESS COMPONENT - REALME FOR DEVELOPERS AND ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RealMe® Re-Platforming
Agency Engagement Pack
Readiness Component
Version 0.7 (FINAL DRAFT)
September 2020
UNCLASSIFIEDRevision History
Version Date Description of changes
0.1 16 January 2020 Initial draft
0.2 17 January 2020 Added further detail architectural detail
0.3 27 January 2020 Added DIA feedback
0.4 29 January 2020 Initial agency feedback included
0.5 3 February 2020 Final draft for release to all agencies
0.6 16 April 2020 Updated to include revised schedule
0.7 25 September 2020 Added step to obtain Mutual SSL certificates for
services using Artifact binding.
Amended Assert then Login flow.
Updated to reflect revised schedule.
UNCLASSIFIEDAgency Engagement Pack
Table of Contents
1 BACKGROUND ............................................................................................................. 4
1.1 Benefits ............................................................................................................................... 4
1.1.1 System wide ................................................................................................................ 4
1.1.2 Agency wide ................................................................................................................ 5
2 PURPOSE .................................................................................................................... 6
3 ROLES AND RESPONSIBILITIES........................................................................................... 6
4 ENGAGEMENT PLAN ...................................................................................................... 7
4.1 Agency Engagement Timeline ............................................................................................. 7
5 PRE-REQUISITES ........................................................................................................... 8
6 HIGH LEVEL OVERVIEW .................................................................................................. 9
6.1 Who are UNIFY Solutions? .................................................................................................. 9
6.2 Proposed Solution ............................................................................................................... 9
6.3 High Level Onboarding Process........................................................................................... 9
6.3.1 Login and Assertion Services ..................................................................................... 10
6.3.2 iCMS/RCMS ............................................................................................................... 10
6.3.3 Help Desk .................................................................................................................. 10
6.3.4 Web Application........................................................................................................ 10
6.4 RSA Tokens ........................................................................................................................ 11
7 APPENDIX ONE – ARCHITECTURE HIGH LEVEL OVERVIEW ...................................................... 12
8 APPENDIX TWO – HELPDESK ARCHITECTURE OVERVIEW ....................................................... 13
Readiness UNCLASSIFIED Page 3 of 131 Background
The authentication and identity verification service RealMe® was launched in 2013. RealMe is a
secure and privacy protected way for New Zealanders to access online services, prove their identity
and assert personal information online. RealMe provides two key services, the login service and the
identity verification, or assertion, service.
The login service is an authentication service that allows a returning customer to reuse their login
across multiple services. RealMe login currently provides access to 131 services from 40
organisations. Up to 2.5 million logins occur monthly and approximately 60-80% of logins are used to
access more than one service.
The RealMe Assertion service provides a person with an online identity, allowing them to prove
(with their consent) that they are who they say they are online. The pieces of information belonging
to a person are called attributes. Attributes are currently provided by the Department of Internal
Affairs Identity Verification Service (verified identity – name, date of birth, place of birth and gender)
and the New Zealand Post Address Verification Service (residential address). Providing the
verification services separately ensures that a person’s attributes are not stored within RealMe itself.
The RealMe Assertion service currently provides identity services to 17 public and private sector
clients. There is close to 790,000 verified identities and the service undertakes over 29,000
successful identity transactions per month.
The current RealMe platform is hosted ‘on premise’ and requires significant three-yearly capital
investment to upgrade expiring platform components. After consideration of the ongoing costs
required to maintain the current platform, the government and DIA’s strategic direction to consider
‘cloud first’ technology options and the potential benefits of a cloud based platform in terms of
faster development, improved security and reduced costs, DIA made a decision to move the RealMe
service to an offshore, cloud based platform.
DIA selected Microsoft Azure Active Directory B2C as the new platform. DIA has an existing
enterprise cloud services agreement with Microsoft, which includes its use of the Azure platform.
This agreement incorporates the standard Online Services Terms (which includes a separate Data
Protection Addendum) that apply to DIA’s use of Azure.
In late 2019 DIA underwent an RFP process to procure an implementation partner, and in December
2019 engaged Unify Solutions NZ Ltd (UNIFY) to carry out this transition, as well as provide ongoing
service support. The goal is to have RealMe moved to the new platform in the first quarter of 2021.
1.1 Benefits
The RealMe RePlatforming Project provides the following system and agency wide benefits:
1.1.1 System wide
• Significantly reduces operational and capex costs.
• Improved security and privacy capability.
• Fit for purpose / ability to enable future needs.
Readiness UNCLASSIFIED1.1.2 Agency wide
• Reduced effort to integrate / reduces complexity / costs.
• Enables better product development.
• Enables federated login.
• Easier to adopt attributes (e.g. citizenship Te Ara Manaki programme).
• With custom code (current system) hard to make changes to meet agency requirements,
new system more adaptable.
• Helpdesk
o new helpdesk will remove need for staff tokens & management as login will be
federated with agency login.
o simpler / easier user interface.
Readiness UNCLASSIFIED2 Purpose
The purpose of the Agency Engagement Pack is to provide agencies with a good understanding of
the purpose, objective, approach, timelines, process and mechanism for integrating applications to
the new RealMe® platform.
The intended audience for this pack includes agency business owners, business analysts, developers
and vendor representatives.
This is the first of three artefacts which, together, form the Agency Engagement Pack:
Artefact Contents
Agency Readiness Pack (this • Solution Overview
document) • Roles and Responsibilities
• Pre-requisites
• Engagement Plan (high level)
Agency Onboarding Pack • Engagement Plan (revised)
• Configuration Items
• Integration and User Acceptance Testing
• Rollout across Higher Environments
Service Management Pack • Service Transition
• Service Operation
• Frequently Asked Questions
A draft of this document was presented to the first RealMe RePlatforming workshop on 5 February
2020.
3 Roles and Responsibilities
The following roles and responsibilities regarding agency engagement have been defined:
Responsible Role
DIA • Lead interactions with agencies
• Facilitate integration workshops
• Lead/manage the integration process in all environments
• Complete Certification and Assurance for the replatformed RealMe® service and provide
related documentation and guidance to agencies
• Complete a Privacy Impact Assessment and share relevant aspects with the agencies
• Complete Performance and Penetration Testing in the RealMe Integration Test
Environment (ITE) and share results with the agencies.
• Provide technical documentation, including the Solution Architecture Design document,
to the agencies
UNIFY • Participate in agency workshops and follow up meetings as required
• Support DIA in delivering the processes to implement and test agency integrations
• Provide troubleshooting assistance and advice to support successful agency integrations
Agencies • Participate in integration workshops and follow up meetings as required
• Integration and Testing of applications using the RealMe ITE and, optionally, the Message
Testing Site (MTS) and Early Integration Test (EIT).
• Production implementation
• Complete any Certification and Assurance as required as assessed by your agency
Readiness UNCLASSIFIED4 Engagement Plan
DIA commenced formal engagement with the agencies in February 2020. Initial engagement was in
the form of two workshops as follows:
Date Purpose
5 February 2020 (workshop #1) Initiate discussions regarding the application onboarding
exercise and walkthrough the first draft of the ‘Agency
Readiness Pack’ (this document)
19 February 2020 (workshop #2) A follow up from Workshop #1 to provide an update on the
action items and inputs from previous workshop, a
walkthrough of the Engagement and an update on the
timelines and overall engagement plan.
The final version of the Agency Engagement Pack will be issued in late November 2020 to coincide
with the final agency workshop, however, there may be updates to these documents prior to this.
Agencies will be notified when significant updates are available, and these will be published on the
RealMe® Developer's Website.
For those agencies with more complex integrations, additional workshops may be required to ensure
all parties understand the changes required to support the replatformed RealMe service.
If you have any questions regarding any aspect of the Engagement Plan and/or the replatforming of
RealMe please email integrations@realme.govt.nz.
4.1 Agency Engagement Timeline
The following diagram and table depict a high-level view of the agency engagement timeline.
Agencies will be notified should there be any change to the timeline.
AGENCY ENGAGEMENT TIMELINE
16/10/2020 30/11/2020
As at September 2020 Publish Security Issue Agency Agency
and Privacy 30/10/2020 Engagement Pack Replatforming
information Agency Showcase (final) 30/11/2020
5/02/2020 10/04/2021
(via video) 6/11/2020 MTS Build
17/12/2019 Agency Workshop
EIT Build Complete 26/01/2021 - 18/03/2021
RealMe B2C One 25/09/2020
Agency Briefing Complete Agency Integration
Issue Agency
23/11/2019 Testing (ITE) and
Engagement Pack 2/12/2020 drop in workshops 12/04/2021
RealMe RePlatforming 19/02/2020 (final draft)
Project Initiated Agency Workshop Agency Workshop Service Transition
Two Three Complete
27/03/2020
Nov-19 Dec-19 Jan-20 Feb-20 Mar-20 Apr-20 May-20 Jun-20 Jul-20 Aug-20 Sep-20 Oct-20 Nov-20 Dec-20 Jan-21 Feb-21 Mar-21 Apr-21
24/10/2019 30/04/2021
11/11/2019 - 24/12/2019
1/03/21
Unify Proof of Concept
19/10/2020 - 13/11/2020 Help Desk
documentation
Unify System
6/01/2020 - 15/02/2020 available
Integration
Initiate Project 17/02/2020 - 14/05/2020 Testing
And Onboard Unify Unify Build Phase I 15/05/2020 - 16/10/2020
- design Unify Build Phase II
- con figure enviro nments 16/11/2020 - 18/12/2020
- data migratio n validation
- development
- requirement refinements DIA Integration
- data migratio n - RSA Token Testing (UAT)
- MTS Developmen t Tools
Key Agency Dates
Date Purpose
25 September 2020 Issue updated Agency Engagement Pack (including the Service
Management Pack)
16 October 2020 Publish Security and Privacy information for agencies
Readiness UNCLASSIFIEDDate Purpose
30 October 2020 Agency Showcase (via video)
9 November 2020 Early Integration Testing for complex agencies1
30 November 2020 Issue final Agency Engagement Pack
30 November 2020 (to be confirmed) MTS build complete for (optional) integration
2 December 2020 Agency Workshop Three
26 January 2021 to 18 March 2021 Agency Integration Testing (ITE) and drop in workshops
1 March 2021 (to be confirmed) Help Desk guides / documentation available
10 April 2021 Agency replatforming
5 Pre-requisites
In order to ensure production readiness, each agency must meet the following pre-requisites for
each of their respective applications.
Completed Description
☐ Confirm that RealMe® integration for your application is still required. If not, no
further integration steps are required, and your application will not be migrated to
the replatformed RealMe environment.
☐ Your application must be successfully integrated with the existing RealMe ITE
environment.
☐ Your agency must send at least one technical representative with RealMe
integration experience to the two RePlatforming workshops.
☐ Review and, where necessary, update information related to your application when
provided by DIA as follows:
• Key contact information.
• Details of RealMe services which are currently being consumed.
• SAML component used by your application, for further information refer to the
list of known RealMe SAML 2.0 components.
• EntityID(s) of the connected application environments in both ITE and
Production.
☐ Upon receipt of the Onboarding Pack:
• Perform tests to ensure that the new endpoints are accessible. If not, request
appropriate firewall change(s) and, once applied, retest.
• Integrate and successfully test application connectivity against the RePlatformed
Integration Testing Environment.
☐ For those agencies with integrations to the existing igovt Context Mapping Service
(iCMS), RealMe Context Mapping Service (RCMS), HelpDesk Web Application or
HelpDesk Web Service.
• Participate in additional workshops to understand the application changes which
are required to support the RePlatformed service(s).
• Amend your application(s) to consume the RePlatformed service(s).
• Regression test your application.
1
Complex agencies are deemed to be those who have services which use the Assert then Login flow and/or
run their own RealMe Help Desk. This environment will not be available post go-live.
Readiness UNCLASSIFIED6 High Level Overview
6.1 Who are UNIFY Solutions?
UNIFY has extensive experience in developing Identity and Access Management solutions for
numerous customers across a wide range of industry sectors, including a significant number of
government agencies. Most importantly, UNIFY has considerable experience with the Azure AD B2C
platform that has been selected by DIA to underpin the re-platformed RealMe® service.
6.2 Proposed Solution
The RealMe Login Service and RealMe Assertion Service will be redeveloped using Microsoft Azure
AD B2C. The major solution components required to meet the functional and non-functional
requirements of the RealMe platform are listed below. Also refer to Appendix One – Architecture
High Level Overview on page 12 of this document for an overview diagram.
• RealMe Login Service2 – developed using Microsoft Azure AD Identity Experience Framework,
SAML 2.0 and other Azure Services.
• RealMe Assertion Service1 – developed using Microsoft Azure AD Identity Experience
Framework, SAML 2.0 and other Azure Services
• RealMe Context Mapping Service (RCMS) – developed using Azure AD B2C and Microsoft Azure
Web API, Json Web Token (JWT) and other Azure Services.
• Help Desk Web Application - highly scalable and highly available web application provided to the
agency service desk users to support the users in managing RealMe credentials such as password
reset, updating contact details etc.
• Data Migration – all user records and three years of audit and event history will be migrated.
• Disaster Recovery - Azure AD's geographically distributed architecture combines extensive
monitoring, automated rerouting, failover, and recovery capabilities, which deliver company-
wide availability and performance to customers.
If you require further detail regarding the solution, please contact business@realme.govt.nz.
6.3 High Level Onboarding Process
The replatformed ITE RealMe will be available to agencies in late January 2020 for integration
testing. This will run in parallel with the existing RealMe ITE. The existing RealMe ITE will be made
unavailable once the replatforming of RealMe is complete.
The Production go-live will be a ‘single’ cutover, i.e. the replatformed RealMe environment will be
stood up for services to integrate with during a specific change window and the existing RealMe
environment will be made unavailable. This approach has been determined to be the best option
primarily due to the sheer volume of data that needs to be migrated from one fundamentally
different system to another. Further information regarding the data migration process will be made
available on the RealMe Developer’s website in October 2020.
EIT will be available for complex agencies to perform early integration testing in early November
2020. Once initial integration testing in EIT has been completed successfully, optional ‘self-service’
integration to MTS will be available for all agencies (to be confirmed but likely to be late November).
2
SAML bindings of POST and Artifact will continue to be supported.
Readiness UNCLASSIFIED6.3.1 Login and Assertion Services
The process for onboarding an application which uses either the Login Service or the Assertion
Service will require the application to update a new Identity Provider (IdP) metadata file. This file
will contain a new certificate and new endpoints for RealMe services. Depending on your network
configuration, some agencies may also require amended firewall rules3 to allow their application to
access the new endpoints. Further information will be provided as part of the Agency Onboarding
Pack however the process will be very similar to the RealMe certificate renewal process (most
recently in 2019).
There will be no requirement to supply new Service Provider metadata files for the ITE and
Production environments as these will be migrated as part of the replatforming exercise.
Note: agencies integrating to the MTS and EIT environments will be expected to provide an
amended Service Provider metadata file using the template which will be included in the ‘RealMe
Replatforming Bundle’ for that environment.
Agencies who are using Artifact binding will be requested to supply their Mutual SSL certificates for
both the ITE and Production environments. This is because the current RealMe utilises the
certificate thumbprint only whereas the replatformed RealMe uses the entire certificate.
6.3.2 iCMS/RCMS
The process for onboarding an application which use either iCMS/RCMS will require a change. The
change required will vary depending on your use of iCMS/RCMS. Agencies who use these services
will be contacted as part of the engagement process to ensure that all parties understand the
changes required to support the replatformed service. We will support you throughout the change
process.
Applications which use the Assert and Login flow are no longer required to interact with iCMS/RCMS
and will no longer be required to decrypt an Opaque Token as per earlier versions of this document.
Instead, the RealMe Assertion Service will issue the user’s FLT for agency as the NameID within the
Subject of the Assertion. This is the same method that is currently used by the Login service.
Applications which use iCMS or RCMS for seamless login or extended login use cases will require the
following changes:
• Applications which are using iCMS will need to integrate to the new RCMS service. iCMS will
be decommissioned.
• A change to the RCMS endpoint.
• Minor changes to integrate with RCMS using the standardised OAuth2.0 token exchange
profile.
6.3.3 Help Desk
Agencies who use either the Help Desk Web Application or Web Service will be contacted as part of
the engagement process to ensure that all parties understand the changes required to support the
replatformed service. We will support you throughout the change process.
6.3.4 Web Application
The existing RealMe Help Desk application will be decommissioned and replaced with a new web
application which will provide the same functionality as the existing RealMe Help Desk web
application.
3
This will be based on DNS based routing or mutual SSL authentication between applications and RealMe services.
Readiness UNCLASSIFIEDAgencies who use the Help Desk application will need to federate their internal active directory to the new RealMe Helpdesk Federation hub. This will streamline the setup of Help Desk users, allow agencies to provide their own internal governance and remove the need for the use of RSA tokens. Refer to Appendix Two – Helpdesk Architecture Overview on page 13 of this document for more information. 6.3.4.1 Web Service The Helpdesk Web Service will be decommissioned. Agencies who use this service will be contacted as part of the engagement process to support you through the change process and to ensure that all parties understand the changes required to support the RePlatformed service. We will support you throughout the change process. 6.4 RSA Tokens DIA has assessed the use of RSA Tokens and the decision has been made to migrate the existing RSA Tokens and associated infrastructure to the replatformed RealMe. Agencies who currently use RSA Tokens for applications other than the RealMe Help Desk will not need to take any further action. Readiness UNCLASSIFIED
Agency Engagement Pack
7 Appendix One – Architecture High Level Overview
Relying parties
DIA MBIE MSD IR Banks Others
NZ Public
SAMLv2.0 SAMLv2.0
WebSSO Endpoint WebSSO Endpoint
Agency Service Desk
RealMe Assertion
DIA
Azure AD B2C
RealMe Login Service Service
RealMe
Credentials Store
Graph API
MBIE
RealMe
RealMe Azure Resources
Front Door
SAMLv2.0
Azure AD B2C HD Access
IdP initiated
SSO Unify Business
RealMe Helpdesk Monitor
Federation Hub
RealMe Key Vault
IR
RealMe RealMe System
RealMe Helpdesk RealMe RealMe Extension Insights Monitor
Webapp Context Mapping Service RealMe
Functions App
MSD
Storage Account
RealMe Health and
Performance Check
Access through DIA - Microsoft
Agency Login Azure Tenancy RealMe Resource Group
Service Desk
Operators External Integration
RealMe Consent Service Identity Verification Service Address Verification Service
Readiness UNCLASSIFIED Page 12 of 13Agency Engagement Pack
8 Appendix Two – Helpdesk Architecture Overview
Agency Service Desk
1. Access RealMe
HD Web app
DIA MBIE IR MSD
Agency Service Desk
Operator
2. SAML IdP Initiated SSO
Azure AD B2C SAMLv2.0 SP Agency IdP
Metadata
Configuration
HD Operators
RealMe Helpdesk Federation Hub Credentials Store
3. redirect with operator token
RealMe
Front Door RealMe
Azure AD B2C
4. HD Landing Page
Get User Details Graph API
RealMe Azure RealMe Helpdesk
Resources Webapp
implements
Recover username Reset password Search user User summary
Update contact Update 2FA
Transaction details details Methods
RealMe Helpdesk Business Functions
Readiness UNCLASSIFIED Page 13 of 13You can also read
