Federated identity policy

Purpose

This Queensland Government Enterprise Architecture (QGEA) policy is to enable departments to leverage credentials and identities established across public and private sectors, elevate the strength of these credential and identities where required for business needs and promote the responsible sharing and reuse of established identities and credentials in an interoperable format.

Policy statement

The Queensland Governments federated identity approach underpins a digital identity ecosystem encompassing public jurisdictions and private sector delivery partners who trust each others assurances of identity.

The ability to readily convey trusted identity information across this ecosystem is key to supporting a digital government and seamless service delivery within Queensland Government, other jurisdictions, service delivery partners and with Queenslanders.

Policy benefits

The adoption of a federated identity approach will:

• reduce the issuance of single purpose credentials (consolidation) through the ability to re-use credentials issued by another trusted party
• reduce the need to continually re-prove identity through the ability to re-use previous identity verifications (in part or in-full) undertaken by another trusted party
• Allow information and assurances to be exchanged between differing systems across federated parties
• support a seamless experience between services, across delivery channels, the Queensland public sector, and partner services for customers, clients, partners and staff through portability of identity
• allow attestations as to identity by other departments, government jurisdictions, or third parties which are authoritative and hold up to date information
• provide customers with choice of credential and with what evidence, both digitally and physically, they can use to prove their identity regardless of which service they access
• provide staff with simplified access to cross-departmental and whole-of-government ICT systems
• lower the risks of inappropriate access by providing relevant and verified identity information for use in authorisation decisions
• enable departments to adopt solutions that meet their business needs while still allowing them to exchange identity information.

Applicability

This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). Accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this policy in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.

Policy requirements

Policy requirement 1: Departments must leverage and accept existing credentials and/or identities for authentication purposes

Using an existing identity or credential provider can provide the ability to leverage results of a previous authentication and/or identity verification across multiple services or organisations. If there is an existing credential or identity provider that services the constituency, the department must consider using them as a credential or identity provider, provided they meet requirements for service experience, privacy, identity assurance and security.

The re-use of existing credentials can reduce friction, enhance the user experience, especially for registration and recurrent login. When selecting a credential or identity provider, departments must consider the:

• constituency and likely credentials they may hold
• authoritative sources and pedigree of identity attributes
• types of devices used and support for biometrics which may serve as additional factors
• degree of trust placed on each credential e.g. strength and resistance to tampering.

Advice

Further information on how to determine authentication requirements can be located in the Queensland Government Authentication Framework (QGAF) and the Queensland Government Information Security Classification Framework (QGISCF).

Policy requirement 2: Departments must enable credential and/or identity strength to be elevated, commensurate with business risks

Departments must undertake a business risk assessment (involving information security classification) to determine the required strength of the identity registration and authentication process. This required strength can then be mapped to a comparable strength that is being offered by an identity or credential provider.

Where a higher level of strength is required than what is available, departments must implement appropriate business processes to elevate the strength of registration or authentication as necessary, often using multiple sources. This enables departments to build upon a strength previously achieved by a federated entity and elevate it to meet the departments requirement for the current interaction and subsequent interactions at the same or lower strength.

The results of any additional verifications undertaken by the department must also be sharable in accordance with policy requirement 3 to enable others to rely upon the upgraded strength as required.

Policy requirement 3: Departments must provide credential and identity information assertions in a standard interoperable format

Queensland's digital identity ecosystem must be able to interact and exchange information with many differing systems across federated parties to support the sharing of credential or identity information. A lack of interoperability produces silos of identity information and access control, whereby the value of an identity is lost across boundaries.

Queensland Government departments regarded as an authoritative source for specific credential or identity information must consider where appropriate implementing mechanisms which support the responsible verification, sharing and/or reuse of established identities, attributes and credentials in an interoperable format to assist other departments, jurisdictions and industry sectors to meet their identity and/or credential assurance requirements. This includes making available supporting information regarding the polices and procedures for issuance, maintenance and revocation of the credential or identity information to assist relying parties to make a business risk determination regarding the degree of trust and confidence they place in the credential or identity information for their own business purposes.

Queensland Government departments providing credential or identity information must either:

a) establish a documented agreement with a relying party to share the credential or identity information or make available the credential or identity information as a productised service under standardised terms and conditions. The information being exchanged, roles and responsibilities, policies and procedures, including security and privacy obligations each party needs to comply with and the measurements to verify adherence must be clearly defined.

b) provide a self-service mechanism by which relevant individuals as the owner of specific information attributes held by the department can share their credential or identity information with another federated party (to the extent permitted by the department).

Queensland Government departments must use industry identity federation standards where appropriate to maximise interoperability and support the exchange of credential or identity information.

Advice

For further information on preferred standards and protocol considerations to improve interoperability please refer to the Federated Identity Blueprint Standards.

Issue and review

Issue date: 18 December 2017
Next review date: December 2019

This QGEA policy is published within the QGEA which is administered by the Queensland Government Customer and Digital Group. It was developed by the QGCIO and approved by the Queensland Government Chief Information Officer.

Implementation

This policy comes into effect from the issue date.

Definition of terms