Integration

IdentityX Platform – Solution Architecture

IdentityX is a platform offering device authentication, biometric authentication (such as face, voice, fingerprint and palm), as well as PIN/passphrase authentication, one-time-passcodes and W3C WebAuthn based U2F tokens. The platform is a flexible, future-proofed product, supporting a range of biometric methods, including those of the Fast Identity Online (FIDO) Alliance and allowing identity information to be captured for onboarding, KYC & AML usage.

Daon platform deployment v3
Example Solution Architecture for Daon Platform Deployment

Following is a brief description of each of the components illustrated in the Architecture diagram above:

Clients can incorporate IdentityX software development kits (SDKs) into a new or existing mobile application. APIs and other components exist to enable seamless integration to web-based applications and other channels (websites, in-branch, etc.). In the mobile channel, IdentityX client-side libraries will be integrated within the mobile app to help capture and process the biometric data for enrollment and verification.

Two deployment models are available: 1) in a server-side deployment, biometric data is stored on the server and not on client devices. 2) Client-side, FIDO (Fast Identity Online) deployments allow for biometric data to be securely stored on mobile devices with no biometric data ever being sent to the server.

For enrollment, typically, clients are invited to download the app, login using existing credentials and self-register their biometrics.

The IdentityX FIDO Client SDK is optimized to be embedded with a small footprint into our client apps. This SDK contains the set of services needed to capture and perform quality assessment of biometric data, perform modality-specific liveness detection to mitigate the threat of anti-spoofing and finally, in conjunction with the IdentityX Server, complete user registration. The use of the IdentityX platform allows choices about how to configure and deploy the FIDO Client SDK. It can be configured to:

a. Use one or more biometric modalities (face, voice, finger, etc.)

b. Perform biometric matching locally, server-side or in a hybrid model

c. Use one or more liveness techniques, separately or in combinations (e.g., blink and passive detection for facial recognition)

The mobile app can now provide convenient, strong authentication capabilities for the mobile app itself as well as for out of band authentication to web applications.

Typically our customers utilize an application server, enterprise service bus (ESB) or orchestration tool as the core hub coordinating communication and correlating events occurring across various internal sub-systems and external applications. Daon’s platform services are exposed via a SOAP or REST Application Programming Interface (API) and as such, this Business Tier within the platform will be configured to invoke the relevant set of platform services – enrollment, verification, etc. as they are needed and coordinate any responses with other participating systems.

The Daon Platform SRP processes requests from applications, manages connectivity to the platform’s database, and manages connections to all biometric matchers. It houses much of the platform’s “business logic” such as security, policy management, service management, and auditing.

The SRP houses the Application Programming Interfaces (APIs) through which the functional and administrative services are exposed. Daon’s platform follows a Service Oriented Architecture (SOA) and supports both SOAP and REST-based service calls, which are thoroughly documented in our Best Practices library.

IdentityX Server provides both server-based authentication as well as a FIDO UAF Certified server and supports the FIDO UAF protocols, where authentication takes place on the user’s device. Clients have the option to performing matching on the device, in which case the IdentityX FIDO Client SDK (identified in #1 above) would manage matching.

Daon’s platform has been designed to provide inherent support for multiple biometric modes and capabilities. Unlike systems designed to support a single biometric mode into which other biometrics are added later, our platform is biometric technology neutral (i.e., there is no bias towards specific biometrics devices or matching algorithms). For server-side matching use-cases, a key concept in supporting this is our “snap-in” framework. A snap-in encapsulates a biometric matching algorithm, allowing the platform to remain vendor agnostic with regard to biometric matching algorithms.

Many of our customers utilize fraud detection tools, rules engines, risk engines or orchestration platforms to support automated, risk-based decision analysis for the authorization of transactions of interest (transfers, payments, etc.). Our platform was designed to easily integrate with all of these tools and has already been implemented with the likes of Ping Identity, CA Solutions, Nice Actimize and easily integrates with others, facilitating real-time analysis and specifying for IdentityX to whom to authenticate using which policies. Our mobile SDKs can pass key signals as input to these complementary systems, including whether or not the device has been rooted/jailbroken, GPS data and manufacture-supplied attestation data proving the authenticity of the make/model of the device. The enterprise business layer can also receive feedback from IdentityX’s authentication history to further enhance its ability to calculate the level of risk.

Many clients also utilize a variety of other enterprise identity stores (e.g. Active Directory), security appliances (e.g. Virtual Private Network), existing Identity Access Management Systems and/or network/operational monitoring tools used in operations. Our platform has pre-configured integration tools for many of these; we also provide easy integration via our Application Programming Interface or via industry standard protocols (such as Java Management Extensions).

IdentityX supports the RADIUS protocol and has been deployed by customers for Cisco, CITRIX, and Juniper VPN.

Web Services: IdentityX exposes all of the enrollment, verification, and administration capabilities of the platform through SOAP and REST-based Web Services. All services required to manage user registrations and authentication for FIDO authentication apps are available as REST web services, including options for server-based authentication, leveraging extensions to the standard.

For REST-based services, developers can refer to the IdentityX Java REST SDK Integration Guide and the FIDO Integration Guide. IdentityX SOAP web services are documented in the IdentityX SOAP Interface Guides. WSDLs for the SOAP Web Services are provided with the platform installation, along with a sample SOAPUI project.

Federation: IdentityX is also able to participate in federated architectures where an Identity and Access Management (IDM) tool participates. Based on the asset to be accessed and the protocol a customer wishes to utilize, we offer options (see Table for summary).

Table: Federated Architecture Options in IdentityX

Federation table

In scenarios where additional secure authentication is required to access the APIs, we can support Open ID Connect (JSON Web Tokens). The IdentityX 4.4 Quick Release Guide – Rest API access based on signed JWT details the Open ID Connect process in greater detail. For both the REST API access and Single Sign-On to the Admin console, we can also work directly with SAML assertions issued by the IDP.

With additional configuration, we can also support a scenario where the IdP will issue a token based on an authentication performed in IdentityX. For this scenario plugins (example: ForgeRock and Ping IAMs) that sit inside the IdPs would allow them to check a transaction with IDX before generating a token. Using this token, the user (through a gateway) obtains access to the IdentityX REST services.

This component manages data persistence utilizing standard commercial databases, typically Oracle or SQL Server. IdentityX supports 2 configuration modes: one in which identities are stored on the server and another in which they are stored on the client. Hybrid configurations are also possible. In a server-side configuration, all biometrics in the system will be stored centrally in this database. The Daon security architecture assumes attacks may be originated from both insiders and outsiders. From a design perspective, the network is assumed to be insecure and the system and its components are assumed to be subject to attacks, including both logical and physical unauthorized access, database compromise, and operating system and application software attacks.

HIGHLY AVAILABLE (HA) CONFIGURATION: A typical platform node has one machine (physical server or virtual machine) for the SRP and its SnapIns. To create a highly available deployment of the platform, two or more nodes should be run in parallel with a load balancer configured to distribute the requests between the two Nodes.

FIDO Integration Model

The diagram below depicts a typical FIDO solution architecture (Daon components in gold)

FIDO Integration Model

  • Available for iOS and Android
  • Connects to native FIDO UAF Clients and Authenticators
  • Connects to native non-UAF Connectors
  • Supports embedded authenticators
  • Supports ADoS (match-on-server) Authenticators
  • Fully Customizable UI

Learn more about IdentityX and enterprise integration

For more information on how IdentityX is deployed and integrates with other enterprise systems to reduce risk, detect fraud and protect privacy, get in touch with us here.