The IN.gov Program, a partnership between the Indiana Office of Technology and Indiana Interactive, has been tasked with implementing a single sign-on authentication mechanism and Identity Provider for public online applications for the State of Indiana, referred to as Access Indiana. The benefits of a standard authentication solution include, but are certainly not limited to:
Single Credential and Sign-on Capabilities
Greater Access Control Security
Active Directory Federation (B2B)
Customer Access Panel (Dashboard)
Improved Customer Experience
Customer Confidence in Brand
The following resources are intended to provide Indiana agencies with the initial tools and information they need to integrate with Access Indiana.
The preferred integration strategy is the removal of the current/legacy authentication mechanism from the agency application. The sign-up/sign-in functionality would then leverage Access Indiana. In the event that a user has a legacy login to the agency application, the user would then connect the new Access Indiana profile with their legacy login by validating their legacy credentials in a process we refer to as account linking.
Benefits of this approach include:
Simplifies landing page with a unified message to sign-in via Access Indiana
Curbs prolonged confusion of having multiple login paths and credentials
Successful authentication leads into new user registration on first visit
Basic profile information can be returned from Access Indiana to seed the application registration
Prompt for legacy login if the agency/user can determine it is an existing user to link the accounts
Successful legacy login links existing account to Access Indiana identity
Application flow for new user registration is almost the same, simplifying tier 1 support and training needs
Integration Process & Request Form
We are prescribing OpenID Connect hybrid flow for agency implementations. This requires both front channel and back channel communications and is based on the assumption that the agency is utilizing cookies for authentication (If you are not, please note this, so that we can have a further conversation on your individual implementation). Access Indiana must establish individual client IDs and secrets for each application environment that your application will utilize. We would also need to include a localhost route for the development team (example: http://localhost:port) if your agency utilizes localhost. Keep in mind, the agency application should be developed in a manner to receive sign-in and sign-out calls from the agency application, as well as Access Indiana. This will require distinct URLs/pages from your application to be included in your client setup.
Once the clients are established, the developer can visit the Access Indiana well-known end point for specific OpenID configuration information on the paths and available claims for Access Indiana.
The following details will be needed per environment to setup your application in Access Indiana.
Application developers provide configuration information for each application environment (Dev, QA, UAT, etc.):
Name of application (This will be visible to the user)
Valid reply URLs for the application
Redirect path for Agency Initiated Authorization
Redirect path for Access Indiana Initiated Authorization
Redirect path for Agency Initiated App sign-out
Redirect path for Access Indiana Initiated sign-out
It is possible if your application is outside of the state network there may additional firewall information to be exchanged (please let us know)
Access Indiana team defines the application within the Access Indiana platform
Provide agency developers with Client ID and Client Secret, via encrypted email for each environment that is being setup
Client Secret is unrecoverable if lost and would have to be changed and resent
Successful Access Indiana authentications allows the agency to redeem bearer tokens for user claims and scopes as defined in the well-known end point.
To register your client application with Access Indiana, please submit the above criteria on the following online form.
OpenID Connect Resources
It will be critical for the implementing development team to become familiar with the OpenID Connect specification. The following links are a subset of the specifications to assist in understanding specific areas of consideration. The resources will provide initial guidance and code-snippets to assist in the development of the integration. Please keep in mind that these are third-party resources not endorsed by the State of Indiana. The resources should be used as a reference only. The agency is still responsible for implementing all required controls and/or legal obligations on both the state and federal level.
Also, keep in mind that the steps related to the Access Indiana platform in these references (e.g. register your client application with Access Indiana) will be managed by IOT and Indiana Interactive.
Terminology(Glossary of OpenID Terms)
Access Indiana well-known
Certified OpenID Connect Implementations (Relying Party)
Hybrid Authentication Error Response
Token Error Response
User Info Error Response
Agency Initiated App sign-out
Access Indiana Initiated sign-out
The following are some links to some additional resources that have proven helpful for agencies:
JSON Web Token Decoder
Article on verifying access tokens
Example walk-through of web-client (reference when a certified library is not available for your coding implementation)
Access Indiana User Process Flows