United Kingdom Overview - RUB-NDS/FutureTrust GitHub Wiki

The authentication in UK is defined in the GOV.UK profile[1].

The following participants are involved:

  • Identity Provider (IdP): The IdP is an organization in the private sector, which verifies the identity of the users and identifies them on the RP.
  • GOV.UK Verify Hub (Hub): The infrastructure managing the interaction between users, RPs, IdPs and the matching service. In other words, the Hub mediates all interactions between the IdP and RP.
  • Relying Party/Government Service (RP): The RP offers a service requiring user authentication.
  • Matching Service (MS): The MS “… matches a user’s assured identity to a local identifier in the service’s records to allow them to use the service”[2].

Architecture of "GOV.UK Verify" and protocol flow (Team, 2015)

Figure 1: Architecture of "GOV.UK Verify" and protocol flow[2]

Abstract Overview of the protocol flow in “FCCX” and "GOV.UK Verify" (Brandao, Christin, Danezis, & others, 2015)

Figure 2: Abstract Overview of the protocol flow in “FCCX” and "GOV.UK Verify" (Brandao, Christin, Danezis, & others, 2015)

In GOV.UK Verify the authentication flow is depicted in Figure 1 and Figure 2.

In step 1 the user calls the Government Service and starts the eID-based authentication. In the following step the user is redirected to the Hub, which mediates all interaction between the IdP and RP. In Step 3 the user chooses an IdP, which will be used for the authentication. In Step 4 the Hub forwards the user to the IdP, where he/she authenticates in Step 5. In Step 6 the IdP generates the authentication token, which is sent through the user’s browser to the Hub. Step 7 is only in the Federal Cloud Credential Exchange (FCCX) flow available, which is specified in USA. Thus, this step is skipped for GOV.UK Verify. In Step 8 the Hub uses the Matching Service (MS) to match a user’s assured identity to a local identifier in the service’s records, so they can use the service. In Step 9 the Hub generates an authentication token containing the identity of the user and sends it to the RP.

A more technical protocol overview is available in the following figure.

Abstract Overview of the protocol flow in “FCCX” and "GOV.UK Verify" (Brandao, Christin, Danezis, & others, 2015)

Figure 3: GO.UKVerify protocol flow[1]

References

1. ^ ^ Pegman, M., Cooper, A., & Dunn, S. (August 2015). Identity Assurance Hub Service SAML 2.0 Profile v1.2a. Identity Assurance Hub Service SAML 2.0 Profile v1.2a.
2. ^ ^ Team, I. A. (November 2015). Identity Assurance Documentation. Identity Assurance Documentation.

FutureTrust
⚠️ **GitHub.com Fallback** ⚠️