The ClientThe UK Department for Environment, Food and Rural Affairs (Defra) are responsible for protecting the environment and growing a sustainable and thriving green economy for rural communities in the UK. Defra has a vast external user base that interacts with its digital services. These users vary from European and International bodies, public and private sector bodies, academics and student researchers, voluntary and third-sector organisations, and the general public.
Condatis started working with Defra in 2018 to develop a CIAM system on Microsoft Azure Active Directory to improve access to Defra’s digital services. This initial engagement later led to the further development of Defra’s identity strategy, ensuring their identity systems are fit for resilience and growth and simplifying service provisioning to thousands of users ranging from individuals, suppliers, and external partners.
- Condatis have helped Defra develop a common platform for customer identity that complies with Government standards and provides a single customer touchpoint.
- Defra rebuilt its digital services post-Brexit to meet current UK requirements.
- We extended Microsoft Azure AD B2C’s integration capabilities by integrating with external identity providers for user authentication.
- The new CIAM system streamlines user migration to CRM.
- Condatis developed an eventing component to track and report security and business-level events raised by the system.
Driven by the need to digitise their services, Defra’s identity journey was interrupted by Brexit bringing additional challenges as services previously provided by the EU had to be rebuilt for the UK whilst maintaining the identity and high-security standards.
Defra needed to reduce duplication and costs by providing individuals with a way of authenticating identity once to grant access to several services instead of prompting users to re-authenticate at each stage, providing consistency of experience.
The key identity challenges for Defra were:
- 80% of transactions are business related: A need to verify the individual logging in on behalf of a company such as manufacturers, wholesalers or other rural and agricultural organisations.
- Managing complex customer relationships: A need to make sure the employees, as well as any delegated authority, such as agents, who transact on behalf of a particular organisation, have the appropriate level of access and control to interact with Defra services.
- Customers having multiple accounts for different services in Defra: A need to create a single identity across all Defra services, considering all the relationships and complexity within the business.
With thousands of external users interacting with Defra’s digital services, the objective of this new implementation was to consolidate all customer details and access control attributes into Defra’s Customer Relationship Management (CRM) systems. HM Revenue and Customs (HMRC) being the sole identity provider, the CIAM system also needed to integrate with HMRC’s Secure Credential Platform.
The large scale of the challenge meant bespoke user journeys and custom policies were required, as well as migration of all legacy data and integration with multiple services. And from the end-user point of view – a single customer touchpoint with self-service capabilities to reduce the resources relating to user management.
The solution’s essential requirements were to:
- Retain existing business logic provided by Defra for registering and maintaining users, specifically managing the grouping of users into Organisations.
- Support delegation of rights between users.
The crux of Defra’s Customer Identity and Access Management (CIAM) transformation was introducing Microsoft’s Azure AD B2C product as the orchestration engine central to every user registration or authentication journey.
Azure AD B2C’s integration capabilities allowed us to manage integration with external identity providers for user authentication. We also integrated Defra’s Registration Application as an OpenID Connect (OIDC) claims provider to apply the complex business rules around registering users and organisations.
Condatis introduced an abstraction layer to add identity providers and external data sources, extending the solution’s reach and simplifying user migration into the CRM.
Our team also developed an eventing component capable of receiving business-level events raised by the CIAM solution, generating telemetry records, audit records and security events. The solution also included session tracking to improve user sign-in experience, enabling SSO across onboarded relying party applications. This allows users to sign into any available service using their single Defra credential, browse another service and gain access without being challenged to re-authenticate.
We extended this same principle to support Multi-Factor Authentication (MFA) requirements, allowing a service to mandate the level of authentication assurance required for specific user authentication, but trusting the level previously attained within the session to provide security of MFA with the simplicity of SSO.
The solution also involves integration with their chosen Identity Provider (IdP). It considers the authentication assurance level attained on the external IdP so that the user is not prompted to perform the MFA step twice. Securing specific operations allows an onboarded application to mandate MFA for a given authentication request, regardless of whether the user previously completed MFA within the user session.
Using Azure AD B2C to manage customer identity simplifies user access for Defra’s customers and improves the overall digital experience for customers and suppliers alike.
- A single account: Defra customers will only need one account to access any digital services supported by that account. They will be able to move between different services, including different regions.
- Centralised data: This allows Defra to safely keep track of all its customers in one place, offering users a degree of self-management.
- Improved efficiency: The system will simplify processes for their helpdesk team by giving them a single data source to access customer details, making it easier to assist with customer enquiries.
- Standardization: Using Azure AD B2C provides a standards-based interface for any application or service to use when onboarding the CIAM.
- SSO: allows users to sign into any available service using their single Defra credential, browse another service and gain access without being challenged to re-authenticate.
- MFA: allowing a service to mandate the level of authentication assurance required for specific user authentication but trusting the level previously attained within the session.
- Scalability: The newly developed CIAM system is more scalable, secure, and resilient, handling growing user numbers and consuming services.