Before You Start - Digital-Platform-Services/My-NS-Account GitHub Wiki

Home

My NS Account Integration Considerations

General Considerations

  • My NS Account is a free service to all Province of Nova Scotia services. As part of the My NS Account service, there is periodic maintenance of shared cryptographic tokens which require update on a 3-year cycle. These cryptographic tokens are provided free of charge as part of the My NS Account service and are required to be updated in your application.

  • My NS Account uses a persistent identifier for each user, for each application integrated with My NS Account. Sometimes called the RPID, it takes the form of a sixty-four (64) digit hexadecimal number and appears as the NameID in SAML or Subject (sub) in OIDC. This must be stored in your application to identify the user when they authenticate. The RPID will stay consistent for the user even if they change their name, username or email address. The only time that it changes is if their account is deleted or they choose to revoke access to your service through My NS Account.

  • Attribute mapping must happen between My NS Account and your application. This equates to taking the list of all attributes supplied by My NS Account and mapping them to your application taking into account data types and size limitations between the two systems. The complete list of attributes supplied by My NS Account can be found here.

  • A link to an My NS Account user profile (or Active Directory profile) is made available as an attribute to all user authentications. You may wish to share this link in your application to allow the user to update their user profile in My NS Account and subsequently your application. It should be noted that few if any attributes stored in Active Directory identities are editable for the user but the link will at least provide the user with an idea of where their identity information is stored should they wish to update this information through an internal update to their Active Directory profile.

  • My NS Account is available in both English and French languages. Provide the name of your application and a short, one (1) line description of it in both French and English. This will allow users of both languages to identify your application in My NS Account .

New User Provisioning

  • My NS Account provides authentication and to some extent authorization based on authentication source. If there are authorization restrictions required by your application that can not be handled by limiting the authentication source in My NS Account or by leveraging the My NS Account group functionality, your application is responsible for providing its own access control.

  • Unless your business need requires, most My NS Account authentications should be supported by just in time provisioning of new users in your application. This means that after authenticating into My NS Account and attempting to access your application for the first time, your application should handle access requests. This may take the form of a user record that either has direct access to your application or that requires administrative approval from one of your administrators before the user accesses your application. Your application is responsible for delegating and managing it’s own role based access control mechanisms but may leverage attributes supplied by My NS Account.

Integration into a Net-New System

It’s always easier to start with a fresh and new application. Be sure to allow for the storage of the RPID from My NS Account in your user record and treat it as the identifying factor for any user authenticated through My NS Account.

Integration into a Pre-Existing System

Identity resolution is a key element.

You will need a way to map a user from My NS Account to an already existing user record in your application. In all cases, we highly suggest you map the user in your application to My NS Account using the RPID and that you first check for a matching RPID in your system when looking up an authenticated user. If no RPID is found in your system, here are a few different approaches but please note that this is not a one size fits all approach, depending on your business needs, there may be additional requirements or restrictions.

  • Email Mapping – if your system has an email address on file, this may be the easiest method. Simply have the user authenticate to My NS Account then match the authenticated user’s email address to the email address on file and attach the RPID for the user to your application’s user record.

  • One Time Double Authentication – If your system was publicly available and protected by a locally hashed username and password, you can ask the user for that username and password after authenticating to My NS Account. You can then identify the previously used user record in your application and attach the RPID to that record. After that initial matching, you shouldn’t require the second authentication anymore.

  • Secondary Attribute Mapping – if your application is the system of record for some shared information that is not publicly available like a certificate number or account number, you may ask the user for this secondary information to identify the previously used user record in your application and attach the RPID to that record. The key here is that this secondary piece of information should not easily be able to be discovered by outside sources using social media or an educated guess. Attributes like date of birth or street address, which are widely available, are poor selections.

User Attribute Update

  • At any time, a user may update one of various user attributes (see Attributes List) in My NS Account. Depending on your application, this may have various down stream effects that you want to consider.

  • Updates to user attributes will not affect the RPID assigned to the user or your application.

  • If you are a SAML user and your application supports this functionality, you can expect an update via a SAML change notify message (ChangeNotifyService) informing your application of changes to a particular user record identified by RPID. There may be a business imperative to keep the user record in your application up to date and you should do so accordingly based on these update messages.

User Revocation / Termination of Service

At any time, a user of My NS Account may either (1) sever their relationship with your application or (2) delete their profile entirely.

  1. User severs their relationship with your application

    • My NS Account will retain the user record but the RPID that is associated with your application will be disposed of. If your application is set up to receive SAML user revocation notices, you will receive a message when this happens informing you to revoke the user with a given RPID. If the user attempts to access your application again, a new RPID will be generated and passed along. Identity resolution may be required to match the new RPID to the previous record (if present) or a new user record will need to be generated in your application.
  2. User deletes their My NS Account profile entirely

    • The My NS Account user record will be purged from the system and all relationships between federated applications and that user will be severed. If your application is set up to receive SAML user revocation notices (ManageNameIDService), you will receive a message when this happens informing you to revoke the user with a given RPID. If the user creates a new My NS Account and attempts to access your application again, a new RPID will be generated and passed along. Identity resolution may be required to match the new RPID to the previous record (if present) or a new user record will need to be generated in your application.