ADR 013: Identity Federation Standards
Status: Accepted | Date: 2025-08-15
Context
Applications need to integrate with multiple identity providers including jurisdiction citizen identity services, enterprise directories, and cloud identity platforms. Current approaches use inconsistent protocols (SAML, OIDC, proprietary) creating integration complexity and security inconsistencies.
Modern identity federation requires support for emerging standards like verifiable credentials while maintaining compatibility with legacy enterprise systems.
- Digital ID Act 2024
- OpenID Connect Core 1.0
- OWASP Authentication Cheat Sheet
- EU Digital Identity Wallet Architecture and Reference Framework (ARF) - European digital wallet standards
- ISO/IEC 18013-5:2021 Mobile Driving Licence - mobile document (mDL) standard for verifiable credentials
Decision
Standardise on OpenID Connect (OIDC) as the primary federation protocol for all new identity integrations, with SAML 2.0 support only for legacy systems that cannot support OIDC.
Protocol Standards:
- Primary: OpenID Connect for modern identity providers and new integrations
- Legacy Support: SAML 2.0 only when upstream providers require it and OIDC is unavailable
- Security: Implement PKCE for OIDC public clients and proper token validation
- Compliance: Support Digital ID Act 2024 requirements for jurisdiction identity services
Architecture Requirements:
- Applications should integrate through managed identity platforms (AWS Cognito, Microsoft Entra ID), not directly with identity providers
- Separate privileged and standard user domains for administrative access isolation (see Reference Architecture: OpenAPI Backend)
- Support multiple upstream identity providers per application
- Maintain audit trails per ADR 007: Centralised Security Logging
Identity Federation Flow:
The managed platform handles protocol translation between OIDC and SAML providers, token validation, and audit logging.
Emerging Standards:
- Support W3C Verifiable Credentials for jurisdiction identity services as they mature
- Plan for OpenID4VC wallet-based authentication patterns
- Align with EU Digital Identity Wallet (EUDI) architecture for international interoperability
- Support ISO/IEC 18013-5 mobile document (mDL) credentials for government-issued identity
Implementation Requirements:
- Implement fallback authentication mechanisms for critical systems
- Choose identity platforms with high availability and data export capabilities
Consequences
Benefits:
- Consistent modern federation standard across all applications
- Better security through OIDC’s improved token handling and PKCE support
- Simplified integration with jurisdiction citizen identity services
- Clear separation of administrative and standard user access
Risks if not implemented:
- Fragmented authentication systems across applications
- Legacy SAML limitations hindering citizen service integration
- Inconsistent security posture across identity touchpoints