Decentralized Identity and interoperability: What you need to know
- Posted on June 16, 2022
- Estimated reading time 4 minutes
We previously gave an insight how Decentralized Identity works with the DID and VC standards and how biometrics are likely to play a major role in their adoption. This article focuses on the essential need of achieving interoperability across all identity systems, without compromising security, which will be a fundamental requirement of the future.
We are currently seeing a lack of interoperability across DID/VC implementations, and we all know there is a host of older identity standards like OIDC and SAML and many applications supporting only those. The future is set to even more polyphony in the Digital Identity world, considering that some large players have announced their own proprietary and incompatible take to digital identity.
It is therefore no wonder why the issue of interoperability is a common concern amongst our clients. In fact, their questions are two-fold:
- Can we use Decentralized Identity to allow internal or external users to log-in to a legacy App, not currently supporting it?
- Would a credential issued by some issuer, and stored in some wallet, be shareable and verifiable by our specific verifier?
We will address these questions with the help of a few diagrams describing what we call a Digital Identity Gateway, shown to be compatible with DID, SSI, OIDC and SAML for the shake of example, yet there is nothing preventing interoperability with any other identity solution.
The simple gateway to OIDC and SAML
In its simplest form (Figure 1), a VC issued by the Microsoft Verifiable Credentials service is verified by the appropriate code module and is then converted to a piece of data in a common format, defined by the gateway design. An output module is then given this piece of data and converts it to either a signed OIDC token or a SAML token used with (typically legacy and older) Apps that only support SAML.
Figure 1: Conversion of a Microsoft VC input to an OIDC or a SAML output via the common format of the Digital Identity Gateway. Showcasing how OIDC and legacy SMAL Apps can work with modern Verifiable Credentials
Supporting multiple wallets
The common data format of the gateway can also enable interoperability between different wallets and more. As shown in (Figure 2), an “Other DID/SSI” module can receive a VC from a different issuer / wallet and convert it to the common data format. From there, the gateway can output to either OIDC or SAML and send it towards the Apps. A further “Other non-DID” module introduces compatibility with entirely different identification or authentication methods like OAuth, FIDO (YubiKey) etc.
Figure 2: Additional input modules could introduce compatibility with anything else
Stepping it up and enriching
The gateway can support not just conversion but further processing as well. Figure 3 shows the inclusion of a biometric verifier and/or data from a local database. In the case of biometrics, the flow could also be using a VC, or it could be a direct access to an API.
But the most interesting scenario for compatibility is the enrichment from a local database. Imagine a user who have lost their original VC but can authenticate sufficiently using a VC of their digitized Passport and Biometrics. If the Gateway can find the user in a local database, then it can load information about them that is not in the passport, e.g., their job title, preferences, access rights etc. Using this information the gateway can build a more complete output, enough to afford full compatibility with the Apps, even though it started with partial information from the passport. Even better, it can issue a new VC to the user, to replace the lost one (not shown in the diagrams).
Figure 3: optional steps could include enhancing the output with additional user data or qualifying the user log-in with biometrics etc
Gateways are integral to future identity systems
A Digital Identity Gateway, with a modular design and common conversion format, solves the issue of compatibility between the various DID/VC implementations as well as any other identity system. Gateways like these will be an integral part of future identity systems around the individual, verified via Biometrics, rather than identity proxies like passwords and “crutches of security” like 2FA.
Avanade has seen identity progress through to fully fledged IAM systems for employees, suppliers, and customers. We are now embarking to the next level of truly decentralised, global verifiable identity, with Microsoft AAD Verifiable Credentials as well as any other identity technology, including those seemingly unrelated.