Pattern 8: National Identity, Broker AuthZ
This pattern uses national components to manage all authentication and authorisation of users. Local systems can then use the tokens given out by the national services to make access control decisions without having to implement any local authentication or authorisation services.
- Provides a single mechanism for establishing system-to-system trust between sharing systems – backed by a light-weight national assurance process to make use of the national PKI.
- Provides a single enforcement point for API calls flowing through the broker, ensuring nationally agreed controls are applied consistently.
- Reduced costs for local/regional solutions.
- Takes all authorisation away from local systems (although they can of course inspect tokens and perform additional checks to block if necessary – this would be potentially confusing to a client that had been informed access has been authorised).
- Would only do authorisation against nationally agreed policies using information held about the user nationally – e.g. would not do checks that rely on user attributes only held in the local systems, such as legitimate relationship checks
Was this article useful?2