Compliant Implementation of Trust Registry

Full Name and Status

An example of building a compliant trust registry. It is based on Microsoft open source solution ASP.NET core 2.2 and show deployment on the Amazon Web Service (AWS).

This is still a work in progress. Do not expect full functional code at this time.

Context

This example shows one way to construct a compliant Federation Trust Registry using ideas from the Health Care community.

Solution

Access to the Example

Currently a working draft of the Trust Registry example web site is available here soon.

Working Notes

Building the Example from GitHub

the new version on GitHub with core 2.2 is fully functional.

Building an ASP.NET solution from scratch

• From Visual Studio add new project with: C#, MVC razor pages, Change Identifier to Individual.
• Take control of the user information by overriding the IdentityUser with a local name, here we use the name UserObject to align with terminology in this wiki.
  • It is common to include UserGroup as well as UserObject in the definition if the admin or other types of user will be included in the same database.
• Scaffold Identity in ASP.NET Core 2 projects.
  • for this example choose the instructions labled "Scaffold identity into a Razor project without existing authorization"
  • In the project right-click select add -> scaffold -> Identity and override all files, type in layout cshtml name, DB name and UserObject
  • If you have your own definition of the user before scaffolding, you might wind up with two definitions; delete one.
  • Make a choice about enabling Two factor authentication. If enabled put .AddDefaultTokenProivders() in startup and add email and/or phone providers.
  • For ASP.NET Core 2.2 the razor page format includes the view model and controller in the code behind file, not in a separate controller file.

Next steps

Set up goals and start to build examples and best practices for all of the roles in an ID ecosystem.

1. Now that the IDEF has established a self assessment, work on enabling the ID ecosystem needs enable relying parties and other entities to comply.
2. Promote a Trustmark with UX collateral, images of various sizes for web sites.
3. The Kantara web site itself should be an example of Guidelines.
4. There is an IdP which shows the Guidelines for that industry. (The roles of IdP generates identity tokens. It may consume input from user credentials, but not identity tokens.)
5. The UXC work on suggestions for the look and feel of a Guidelines RP.
6. Move the example RP into broad adoptions for relying parties.
7. Preliminary work on the IdP has begun.
8. The best practice protocol for inter op between IAPs and RPs is the OpenID Connect protocol.

Questions and Answers for Designers and Developers

Will need to build for best practices:

• Privacy policy (PP)
• Terms of use (ToU)
• Are there specific ToU and PP provisions that demonstrate how the IDEAL RP might deal with User Private Information in their policies.

UX Questions Specific to the RP example code

1. Demo verification of email (or cell phone) address - will be needed to support Recovery and Notification.
2. What are the canonical terms for identification?
   1. logon logout register resign
   2. login logoff create remove
   3. signin signout signup signoff
3. User roles - how to model - note that one user can have multiple roles
   1. Join email list (no role)
   2. Registered as a member (has applied)
   3. Accepted as a member (partially manual)
   4. Suspended Member
   5. member of an organization
   6. voting member of an organization
   7. Officers of the site
   8. Site Admin

Other issues to look at:

• Some method for creating a strong web site identity, e.g. EV Certs or the new proposal taking shape at Google Chrome.
• Recording devices that are under the control of the user together with the device capabilities for data capture and display
• While all content on this page is covered by the IPR rules, it should be clear that the content on pages linked from this site may have different ownership rights asserted.

References and Coordination

• The page at Best Practice and Example Relying Party gives a more architectural and design approach to creating a compliant RP site.
• The Microsoft web site has a description of the Namespaces in ASP.NET Core that can be used as an alternate identity schema. It was the precursor for the schema used here.
• this site describes how to debug this app if running an Azure. Other scenarios are available near where that link goes.
• source code for Microsoft IdentityModel OpenIDConnect

Issues and Comments

• Any comments, suggestions or issues with the best practices or code can be tracked at this site. You must have a sign in method for GitHub.
• General comments about this web page can be made on the "Discussion" tab at the top of the page. You must be a registered member of this site to make comments here.
• Impact of deprecation of Google+