Selecteer een stuk tekst om voor te lezen   Click to listen highlighted text! Selecteer een stuk tekst om voor te lezen

Federated Authentication

BDI Associations have their own private Association Register: membership is not published in a widely shared register or ledger for obvious security reasons.

Participation requirements

Participation in the same data space with others does however require that members of different BDI Associations can:

  • discover their respective endpoints (Discovery);
  • verify their membership of a BDI Association;
  • verify the reputation/status of the others in the BDI Association
  • authenticate each other in a federated manner, meaning interacting with their respective BDI Association Register Services (ASR);
  • understand and sign the data license selected by the data owner when accessing data.

The OpenID federated authentication approach https://connect2id.com/learn/openid-federation  provides an interesting basis for federated authentication.

 

Procedure

The discovery allows a Data Consumer (DC, member of BDI Association Rotterdam (BDIR)) to send a client assertion to the data endpoint of the Data Service Provider (DSP, member of BDI Association Felixstowe (BDIF)). The DSP inspects the assertion and verifies with the Association Register Service BDIF whether the DC is:

  • known;
  • onboarded;
  • not blacklisted.

 

About client assertion

The client assertion includes information about the BDIR of the DC.

  • The Association Register Service BDIF recognizes the membership claim and contacts the BDIR of the DC using the same discovery mechanism.
  • BDIF verifies the credentials of BDIR and requests proof of membership, onboarding and signing of DC agreements. This includes adherence to standard data licenses.
  • BDIR verifies the credentials of BDIF and sends the requested proof to BDIF.
  • BDIF evaluates the proof en sends the assessment to the DSP.
  • The DSP makes its own trust assessment and acts upon it by:
    • allowing;
    • declining, or;
    • limiting access with heightened security.
  • BDIF caches the proof in the Outsider cache with a TTL.

 

Data repositories

The assumption is that BDI Associations build up a repository of generic and more data space-specific data licenses based on the business patterns of their members. Members will request additions to the repository when starting to participate in a data space with specific data licenses as part of their onboarding in a data space. It is assumed that, in most cases, generic data licenses will be used that are fit for business interactions.

Click to listen highlighted text!