Identity CoOp

From IIW

Identity Coop (OpenID Connect, ID Assurance)


Tuesday 3D


Convener(s): Alan Viars

Notes-taker(s): Alan Viars


Tags for the session - technology discussed/ideas considered:



Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


We discussed the concept of an “Identity CoOp” where member organizations would trust the identity assurance verification performed by agents/employees of other member organizations.


This would form “Circle of Trust” between Organizations.


The benefit of such a setup in a health care scenario, from a consumers point of view, would to allow a user to authorize access to data from different data sources without having to login to each provider individually (with separate usernames and passwords).


We discussed the potential issues with such a setup.  These include:

  • Introducing a new Identity Provider would be a heavy lift for data resource providers. In addition these organizations already have existing authentication mechanism and may be apprehensive to trust a 3rd party.


  Key Takeaways

  • Instead of trying to create a monolithic Identity provider, instead it might make more sense to profile OIDC and encourage organizations to comply with the profile.
  • The core component of the profile would be verified person claims pertaining to identity assurance.
  • A governance model would be needed to certify IDPs that met the specification and agreed to be part of the CoOp.
  • If large IDPs, such as Microsoft, Apple, and Google participated, it could have a wide reach and provide a smoother user experience.  This would not exclude a hospital or other data holder to have their own IDP that met the profile and CoOp membership requirements.
  • It was unclear how such a model would work from a consumer’s perspective.  Whould the login be a very long list of potential places to sign on?
  • We discussed the “Interac” model in Canada and Identity brokers.
  • Pointers were given to an open source OpenId Connect provider that supported verified person claims.  https://github.com/TransparentHealth/vmi