One37 Business Connector

Overview

The One37 Business Connector is the core component of the One37 Identity Platform.

Also sometimes referred to as the Agent, this service unlocks the reuse of Verifiable Credentials for business applications, ensuring accuracy, completeness, and trust of data without any added burden or lengthy form-filling.

The Business Connector bridges traditional Line-of-Business applications to the world of Decentralised Identity protocols and interactions through an easy to integrate Web API.

The Business Connector also provides pluggable modules for Verifiable Credential Authentication (optionally integrated with IAM systems) and a Low-Code Workflow Engine for self-contained Use Cases.

Business Connector Software Architecture

How it fits into the Ecosystem

As seen in the diagram below, the Business Connector is the central component in a Decentralised Digital Identity Ecosystem.

One or more Business Connectors can be deployed to support the business processes of a single Business or across multiple Business Units.

Deployment

Packaged as a Docker container for deployment scenarios ranging from Docker CE on Developer workstations & single server setups, all the way up to auto-scaling pods within large on-prem or cloud hosted Kubernetes clusters using our configurable Helm Charts.

See the Installation Guides for more details.

Pre-Requisite & Related Components

The Business Connector requires the following support software:

• PostgreSQL or compatible database service for configuration and secure wallet data storage.
• a REDIS® instance or compatible cache service as high performance store for app scalability, workflow, and authentication session state persistence.

The Business Connector is configured dynamically from the One37 Business Studio portal and automatically provisions its database schemas on first start.

The Business Connector Agent will also automatically reserve its own internal Alias and any additional connection Aliases with the One37 Alias Resolution Service.

Business Connector Functions

While the Business Connector is deployed as a single application executable in either standalone mode or 1-n scalable instances in a container orchestration system, it provides a varied set of distinct services simultaneously.

These functions or services are broadly categorized in two groups:

1. Core Services
2. Support Services

Core Services

Business Wallet

The Business Wallet is the secure repository of all keys, credentials and identifiers that are the virtual representation of a Business in a digital identity ecosystem.

Records of all interactions and connections with other Business Agents and end-user Edge Wallets are also maintained in the Business Wallet.

Business Agency Service

The Business Agency Service is the core control service that provides the API endpoints for all interactions with the Business Wallet.

The service is responsible for the following functions:

• Data Exchange
  
  Data exchange between the Business Agent Service and other parties is secured using either the DIDComm or OpenID Connect for Verifiable Credential messaging protocols.
  
  These protocols ensure that all data exchanged is encrypted and signed using the keys and identifiers of each party, inside of secure networking channels like HTTPS.

• Connection Management
  
  The DIDComm protocol also provides for the secure establishment of persistent and re-usable connections between the Business Agent Service and other parties.
  
  This increases the efficiency of data exchange and reduces the overhead of establishing new connections for subsequent, regular interactions.

• Credential Issuance Service
  
  The Business Agent Service provides the API endpoints for the issuance of Verifiable Credentials to User Wallets.
  
  This allows the internal or legacy business systems to instruct the Agent to issue digital credentials to User Wallets, which can then be used for secure and trusted interactions with other parties.

• Credential Verification Service
  
  The Business Agent Service provides the API endpoints to request and verify Credential Presentations from User Wallets.
  
  This allows the internal or legacy business systems to instruct the Agent to request and verify the authenticity and integrity of the digital credentials presented by User Wallets.

• Mediator Service
  
  The Mediator Service operates as the Store & Forward mailbox for every instance of the Edge Wallet that is registered with the Business Agent as it's Home Agency.
  
  The service blinds the true connectivity parameters (IP address, locations etc) of the mobile device from services that it interacts with while also supporting the temporary storage of messages should the wallet device be offline.
  
  The inboxes are maintained in an encrypted database.

• Auditing, Logging & Monitoring
  
  The Business Agent Service maintains a detailed audit log of all interactions and transactions that occur within the system for compliance and security purposes.
  
  The Business Agency Service also provides a set of monitoring and health check endpoints that can be used by external monitoring systems to ensure the availability and performance of the service.
  
  Application metrics are also recorded and exposed in the Studio dashboard for operational oversight of the usage and performance of the service.

Support Services

Some of the support services that can be enabled or disabled based on the deployment requirements are:

• Alias Resolution Service
  This service provides for the registration and resolution of globally unique short codes representing individual User Wallet or Business Agent connection metadata.
  
  Aliases are registered per Business Agent or User wallet and can be transferred between wallets.
  
  When used in conjunction with the Mediator Service, the Alias Resolution Service provides a secure and private way for wallets to route communication between each other without revealing their true network addresses, even if they a not associated with the same Home Agent as the recipient.

• Credential Based Authentication Services
  The Credential Authentication Services provide support for Industry Standard, federated authentication protocols like OpenID Connect, OAuth2 and SAML as well as our own highly optimised AuthAPI protocol.
  
  This service bridges the gap between traditional Identity and Access Management systems and the emerging Decentrlised Identity ecosystems and allows for password free, secure and trusted authentication of users based on the digital credentials they hold in their wallets.
  
  The service can be configured as an upstream authentication provider for existing IAM systems or as a standalone service for new applications.

• Workflow Engine Integration
  The Business Connector can be enabled to support native interaction with the One37 Workflow Engine to provide a complete, end-to-end solution for the automation of business processes that require secure, trusted interactions with external parties.