RealMe® RESTful Context Mapping Service (RCMS) provides the ability for an agency to extend the user's current authentication session to allow seamless user interaction with RealMe services or provide joined up services with one or more other agencies.
The key use cases supported by RCMS are:
At this stage, the potential use of RCMS applies to organisations in the wider government sector that are already using the RealMe login service. Context mapping service is a set of building blocks - how it's used is very dependant on the business context and specific use cases. If your agency is considering a customer-centric joined up business process with another agency, then contact us to discuss what's possible.
The RealMe RESTful Context Mapping Service provides support for government to deliver joined up agency services online in a citizen-centric, privacy-protective way.
Login attributes token (LAT) - when opting to use RCMS, the initiating agency is configured to receive the LAT as part of the SAML authentication response; it essentially contains the same authentication details in an easily accessible format.
Opaque token (OT) - the initiating agency makes an Issue request to RCMS and includes the LAT, the entityID of the target agency and the required use case. In response, RCMS returns the OT which encrypts the FLT in a way that cannot be read by the target agency.
Target agency FLT - the receiving agency makes a Redeem request to the RCMS and includes the OT. In response, RCMS returns the target agency FLT which may already exist or can be newly created.
Redeem token (RT) - the receiving agency also receives the redeem token which can be used in the same way as the LAT with a subsequent agency.
The context mapping service has been implemented using a RESTful web service. This replaces the earlier and more complex WS-* based iCMS that has been deprecated but still supported for existing clients. The API uses JSON web tokens (JWT) and HTTP-POST requests. RCMS Authorisation uses an API token and the web service requires a TLS certificate.
Note that the Assert then log in is a specific instance of the RCMS extended log in use case - in this instance, the RealMe assertion service is the initiating service provider (for context mapping) and the agency making the SAML verification request is the target agency. The lifetime of the opaque token is 60 minutes from the time when the user authenticated.