Final | December 2017 | v1.0.1 | OFFICIAL - PUBLIC | QGCIO
This Queensland Government Enterprise Architecture (QGEA) policy is to enable departments to leverage credentials and identities established across public and private sectors, elevate the strength of these credential and identities where required for business needs and promote the responsible sharing and reuse of established identities and credentials in an interoperable format.
The Queensland Government’s federated identity approach underpins a digital identity ecosystem encompassing public jurisdictions and private sector delivery partners who trust each other’s assurances of identity.
The ability to readily convey trusted identity information across this ecosystem is key to supporting a digital government and seamless service delivery within Queensland Government, other jurisdictions, service delivery partners and with Queenslanders.
The adoption of a federated identity approach will:
- reduce the issuance of single purpose credentials (consolidation) through the ability to re-use credentials issued by another trusted party
- reduce the need to continually re-prove identity through the ability to re-use previous identity verifications (in part or in-full) undertaken by another trusted party
- Allow information and assurances to be exchanged between differing systems across federated parties
- support a seamless experience between services, across delivery channels, the Queensland public sector, and partner services for customers, clients, partners and staff through portability of identity
- allow attestations as to identity by other departments, government jurisdictions, or third parties which are authoritative and hold up to date information
- provide customers with choice of credential and with what evidence, both digitally and physically, they can use to prove their identity regardless of which service they access
- provide staff with simplified access to cross-departmental and whole-of-government ICT systems
- lower the risks of inappropriate access by providing relevant and verified identity information for use in authorisation decisions
- enable departments to adopt solutions that meet their business needs while still allowing them to exchange identity information.
This policy applies to all Queensland Government departments (as defined by the Public Service Act 2008). Accountable officers (not already in scope of the Public Service Act 2008) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.
Policy requirement 1: Departments must leverage and accept existing credentials and/or identities for authentication purposes
Using an existing identity or credential provider can provide the ability to leverage results of a previous authentication and/or identity verification across multiple services or organisations. If there is an existing credential or identity provider that services the constituency, the department must consider using them as a credential or identity provider, provided they meet requirements for service experience, privacy, identity assurance and security.
The re-use of existing credentials can reduce friction, enhance the user experience, especially for registration and recurrent login. When selecting a credential or identity provider, departments must consider the:
- constituency and likely credentials they may hold
- authoritative sources and pedigree of identity attributes
- types of devices used and support for biometrics which may serve as additional factors
- degree of trust placed on each credential e.g. strength and resistance to tampering.
Further information on how to determine authentication requirements can be located in the Queensland Government Authentication Framework (QGAF) and the Queensland Government Information Security Classification Framework (QGISCF).
Policy requirement 2: Departments must enable credential and/or identity strength to be elevated, consummate with business risks
Departments must undertake a business risk assessment (involving information security classification) to determine the required ‘strength’ of the identity registration and authentication process. This required strength can then be mapped to a comparable strength that is being offered by an identity or credential provider.
Where a higher level of strength is required than what is available, departments must implement appropriate business processes to elevate the strength of registration or authentication as necessary, often using multiple sources. This enables departments to build upon a strength previously achieved by a federated entity and elevate it to meet the departments requirement for the current interaction and subsequent interactions at the same or lower strength.
The results of any additional verifications undertaken by the department must also be sharable in accordance with policy requirement 3 to enable others to rely upon the upgraded strength as required.
Policy requirement 3: Departments must provide credential and identity information assertions in a standard interoperable format
Queensland’s digital identity ecosystem must be able to interact and exchange information with many differing systems across federated parties to support the sharing of credential or identity information. A lack of interoperability produces silos of identity information and access control, whereby the value of an identity is lost across boundaries.
Queensland Government departments regarded as an authoritative source for specific credential or identity information must consider where appropriate implementing mechanisms which support the responsible verification, sharing and/or reuse of established identities, attributes and credentials in an interoperable format to assist other departments, jurisdictions and industry sectors to meet their identity and/or credential assurance requirements. This includes making available supporting information regarding the polices and procedures for issuance, maintenance and revocation of the credential or identity information to assist relying parties to make a business risk determination regarding the degree of ‘trust’ and confidence they place in the credential or identity information for their own business purposes.
Queensland Government departments providing credential or identity information must either:
a) establish a documented agreement with a relying party to share the credential or identity information or make available the credential or identity information as a productised service under standardised terms and conditions. The information being exchanged, roles and responsibilities, policies and procedures, including security and privacy obligations each party needs to comply with and the measurements to verify adherence must be clearly defined.
b) provide a self-service mechanism by which relevant individuals as the ‘owner’ of specific information attributes held by the department can share their credential or identity information with another federated party (to the extent permitted by the department).
Queensland Government departments must use industry identity federation standards where appropriate to maximise interoperability and support the exchange of credential or identity information.
For further information on preferred standards and protocol considerations to improve interoperability please refer to the Federated Identity Blueprint – Standards.
Issue and review
Issue date: 18 December 2017
Next review date: December 2019
This QGEA policy is published within the QGEA which is administered by the Queensland Government Chief Information Office. It was developed by the QGCIO and approved by the Queensland Government Chief Information Officer.
This policy comes into effect from the issue date.
Definition of terms
|Identity federation||A federation is a cooperative agreement between autonomous entities that have agreed to work together, and is supported by trust relationships and standards to support interoperability. Identity federation protocols allow for the conveyance of authentication, authorisation or identity information across a set of networked systems, domains or entities.|
|Identity provider||A trusted entity which orchestrates the registration of identity, binds that identity to a credential and asserts the identity at the time of authentication. The Identity provider may also perform the role of an attribute provider which asserts the correctness and consistency of specific attributes.|
|Credential provider||A trusted entity that manages and issues to users one or more authenticators (digital credentials). This function may be standalone or is commonly internalised within an Identity Provider.|
|Customer||A person or entity that consumes a government service.|
|Client||A person or entity that receives services or resources from the government.|
|Partner||A person or entity that provides services on the government’s behalf.|
|Staff||A person or entity that works for the government to deliver services|
|User||Any person or entity defined above that interacts with a service.|