From AAES to BAE - Implementing Collection and Sharing of Identity Data

The Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance (PDF) calls out the need to implement the ability to streamline the collection and sharing of digital identity data (Initiative 5). The Authoritative Attribute Exchange Services (AAES) is the architectural construct shown in the Roadmap as the mechanism that can implement this capability. This blog post provides a description of the capabilities needed in an AAES, and outlines a concrete method for implementing it; via deploying a Backend Attribute Exchange (BAE) infrastructure.

The AAES is a point of architectural abstraction between authoritative sources of identity information and the systems and applications that need that information.


At a high level, you can separate the functional requirements of an AAES into two buckets:

Authoritative Attribute ManagerAuthoritative Attribute Distributer
  • Correlate attributes from various attribute sources
  • De-conflict discrepancies across attribute sources
  • Implement a data model for entity attributes
  • Provide a consolidated view of the pieces of an entity gathered from multiple sources
  • Primary point of query for systems and applications
  • Provide a customized and tailored view of data
  • Support requests for attributes from both internal and external (to organization standing up the AAES) consumers

In order to meet these requirements, the implementation would need to provide capabilities "in the middle" such as Aggregation & Join, Mapping & Transformation, Routing & Load Balancing, Security & Audit and Local Storage (for caching) while providing standardized interfaces and connectors to applications and data sources.

A combination of a Virtual/Meta Directory Engine and a XML Security Gateway provides such a mix of capabilities:

FICAM AAES Implementation
The implementation of such an infrastructure is something we now have extensive experience with, from a combination of prototypes and proof-of-concepts, end-to-end pilots, as well as operational deployments of the various infrastructure elements. That is the reason why we chose these infrastructure elements as the foundational pieces for the Backend Attribute Exchange (BAE) infrastructure we are currently deploying:


As you can see above, there are also two supporting elements to the BAE infrastructure that we have deployed/are deploying; the BAE Metadata Service and the E-Government Trust Services (EGTS) Certificate Authority (CA). The BAE Metadata service will be the authoritative source of the metadata related to the BAE deployment and the EGTS CA will issue the Non-Person Entity (NPE) certificates that will be used to assure message level security across the members of the BAE "Attribute Federation".

In short, while the AAES is an abstract architectural construct, the infrastructure elements that make up the BAE are an example of a physical implementation of such a construct. It is being deployed in the near term to demonstrate operational capability with the goal of making it available as a shared service capability going forward.


:- by Anil John