Integrate Identity Verification as a Service

Identity Verification as a Service (IDVaaS) allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery. When integrated, with Identity as a Service, IDaaS acts as an OIDC client to connect to Identity Verification as a Service, allowing users to use their IDVaaS to verify their identity or allowing users to use their identity for authentication, or both. This integration guide discusses how to set up IDaaS for IDVaaS identity verification and/or authentication.

To integrate Identity Verification as a Service with IDaaS as an Identity Provider, you must do the following:

Step 1: Prerequisites

Before you begin, you need the following information from Identity Verification as a Service:

Step 2: Add IDVaaS as an Identity Provider in IDaaS

1. Log in to your IDaaS administrator account.

2. Click > Security > Identity Providers. The Identity Providers List page appears.

3. Click and select Identity Verification as a Service. The Add Identity Provider page appears.

4. Enter a Name for the Identity Provider.

5. In the Client ID field, paste the Your Client ID from IDVaaS (see Step 1: Prerequisites).

6. In the Client Secret field, paste the Your Client Secret from IDVaaS (see Step 1: Prerequisites).

7. Enter the Issuer URL from IDVaaS (see Step 1: Prerequisites).

8. Click Fetch Configuration to populate the following fields:

● Authorization Endpoint

● Token Endpoint

● JWKS URI

9. Optional. Enter the Max Authentication Age to set the allowed elapsed time, in seconds, since the last time a user was actively authenticated at the Identity Provider.

For example, if you set a value of 300 seconds, if a user authenticated with the Identity Provider more than 300 seconds ago, they must re-authenticate. Leave this setting blank to omit this feature.

10. Enter the Auth Method Request values that are used by your IDVaaS. Separate each value with a space.

11. Configure Branding as follows:

a. Enter the Login Button Text. This is the text that appears on the IDaaS log in page.

b. Leave the login button as is. The login button appears on the IDaaS log in page.

12. Configure User Management.

a. Select Create User to create the user whose information is returned from the Identity Provider if it does not already exist.

Attention: Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP will be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large userbase. Analyze the risks before enabling this option.

b. Select Update User (Authentication) to update the IDaaS user to match the Identity Provider during authentication.

If you select Update User (Authentication), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user authentication, if the user exists in IDaaS, IDaaS compares the attributes of the existing user to the claims returned from the Microsoft Azure AD. If they are different, the IDaaS user attributes are updated with the claim values.

i) The following system attributes are mandatory in IDaaS by default:

– Email: email

– First name: given_name

– Last name: family_name

ii) If they do not exist in your Identity Provider account, you must add them to your user profiles or make them optional in IDaaS. See your Identity Provider documentation for information on how to add a new user or update an existing user profile.

c. Optional. Select Update User (Verification) to update the IDaaS user to match the Identity Provider during Identity Provider verification (if verification is used by the Identity Provider).

If you select Update User (Verification), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user verification, the IDaaS user attributes are updated with the claim values.

13. Do not configure Groups and role mapping.

14. If using IDVaaS for authentication, configure User Authentication as follows:

a. Select Enabled for User Authentication.

During authentication, the Identity Provider returns a claim value that is used to find the IDaaS user based on a user attribute. The attribute mappings in the claim must uniquely identify the IDaaS user for mapping to be successful. If mapped successfully, the Identity Provider can be used as an alternative authentication method.

b. From the drop-down list, set the User Attribute used to identity the user as User ID/Alias.

c. Set the Claim used to identify the user as sub.

d. Optional. Configure User Authentication Match mapping. You can map both system and custom user attributes.

– Every configured attribute must match the corresponding Identity Provider claim value and the IDaaS user attribute.

– The Identity Provider claim value and the IDaaS user attribute must both exist and match.

– If a match fails, authentication using IDP fails.

– User matching is case-insensitive.

15. If using IDVaaS verification, set User Verification as follows:

a. Select Enable for User Verification if you want the Identity Provider to be used for verification. For example, you want do this to allow an Open ID Connect Identity Provider to validate a user's photo or private identification information and return corresponding claims that are mapped to the IDaaS user attributes.

b. Configure at least one User Verification Match Mapping.

– You must configure at least one matching attribute.

– Every configured attribute must match the corresponding Identity Provider claim value and the IDaaS user attribute, which must both exist and match.

– User matching is cas- insensitive.

– You can map both system and custom user attributes.

Note: See Manage policies, registration, and verification for more information on the verification process.

16. Click Save.