The implementation of SuisseID in your existing infrastructure is not just a technical challenge. It may also require thorough analysis and re-definition of your identity management and authentication processes. It’s an objective that calls for carefull reflection and thinking.  It can be vital to overcome the psychological barrier of accepting a third party like “La Poste”, “Swisscom” or “QuoVadis” to take the role of trusted supplier;  any such change is worthy to be addressed from the outset in order to avoid any misunderstanding.

“The implementation of SuisseID in your infrastructure is not just a technical challenge. The fundamental changes are worthy to be addressed from the outset in order to avoid any misunderstanding!”

Process

The pivot of the SuisseID process is the proper identification and authentification of the “to-be” holder of the certificate by a Certificate Authority (CA).

SuisseID - Card with chip

In the case of the Swiss Post (“La Poste”) the CA is their daughter company SwissSign. They rely on two elements to be able to issue a certificate.

One the one hand is the employee at your local post office that checks the presented ID for validity, verifies the match with the person in front (photo) and makes a copy  thus certifying the authenticity (and therefore trustworthiness) of the copy. This service is know as their “yellow ID” product.  Other parties that can certify authenticity of a proof of identity are notaries or local councils. Alternatively you can have one or several employees trained and certified for this role within your organisation (ID @ Office, point 3.2.2.3 (only available in German). Once this identification has been carried out, the user’s documentation will allow them to submit their forms and apply for a SuisseID.

One the other hand we see the SwissSign employee that receives and treats each request in combination with the authenticated ID copy.  A subset of the personal data from the identification document (e.g. a passport) is stored in the identity provider service (IDP) operated by the Certificate Authority. The only way to retrieve that data is by strong authentication with the IDP using the appropriate SuisseID authentication certificate; They make sure that only trusted (i.e. attributes that are present on the ID) are registered as attributes of the client. In the end a client receives a card with a chip and a (USB or external) card reader.

With the SuisseID standard this chip contains two certificates; one certificate for the purpose of authentication and one certificate for the use signing electronically. Both certificates only contain the bare minimum of personal information on the chip, but all  information that is available through the IDP will be based strictly on the information from the Passport or Identity card.

“SuisseID for your access management is like integrating an electronic passport in your authentification processes.”

Implementation of SuisseID in your corporate environment is like integrating an electronic passport in your authentication procedure. This passport is issued and guaranteed by a third party who can vouch for the validity of the information contained therein. Hence the importance of accepting this third party as a trusted body.

In the case of “La Poste” the yellow identification with its certified copy lies at the heart of the trusted third party principle, by which many different atributes like names, surname and date of birth are validated and integrated into the database of the SuisseID IDP.

Some more about technical principles

From a technical standpoint, the implementation of SuisseID in the company infrastructure uses the application programming interfaces (APIs) by which it is possible to connect programmatically. These APIs are documented, and architects can specify the requests needed to be made to the Identity Providers (IDP), in order to technically implement the SuisseID in the identity management and authentication mechanisms of the company.

But although technical aspects define constraints and a framework within which identity management and authentication must take place, the level of usability should be prioritized. Particularly in the context of a company having its own identity repository (eg. centralized directory), it will be necessary to define the levels of integration between the existing identities repository and the external IDPs, to specify access to various IT-resources or programs as linked to each identity.

This is why in the analysis phase it is important to anticipate on some of the following processes:

• Set the necessary attributes of your digital identity – the SuisseID proposes 15 attributes as a “standard” set.
• Define the process for the creation of an identity with SuisseID.
• If you have existing electronic identities, it might be worthwhile to define the process of linking the existing authentication with the SuisseID authentication. This is the case of a company that already offers online services and has defined its own identity management processes.
• In the case of SuisseID connection with existing identities, it might also be worth to define a process for unlinking a SuisseID authentication in order to allow authentication mechanisms as initially implemented without SuisseID.
• Define the various user authentication mechanisms to access online services: uniquely SuisseID or maintain multiple mechanisms – as SuisseID is currently not yet sufficiently widespread, the company might focus instead on maintaining several authentication mechanisms.
• Establish a process for releasing the SuisseID – it is possible to use the process defined by the IDP.
• Define an identity process and association rules in relation to existing business repositories.
• Manage the exceptions to identities association rules.

As can be seen from the not exhaustive list of processes above, the analysis will require a great deal of attention, especially since SuisseID is still a young solution providing significant potential for organizational simplification. It does also still leaves open many questions without clear answers from the IDP;  it allows room for interpretation and provides options for each implementator to create its own solution related to its own needs.

Liked this post? Subscribe to our RSS feed and get loads more!