Home / Products
API menu

KPN / Federated identity and access management

Building trust in the european data economy

How Federated Identity and Access Management (FIAM) supports secure and compliant data sharing

Organizations in Europe are preparing for a future in which data can move more freely between services, providers and sectors. Initiatives of the European Commission such as, the EU Data Act and the development of European Data Spaces aim to give customers full control over the data generated by the products and services they use, while allowing companies to build new, customer-approved services on top of this data.

To make this possible, data sharing must always be secure, traceable and based on explicit consent of the data rights holder, or data owner. Federated Identity & Access Management (FIAM) is KPN’s innovative solution designed to address the growing need for secure, compliant, and scalable data sharing across organizations in the EU. FIAM directly responds to the challenges posed by the EU Data Act which requires connected product such as IoT service providers and other data holders to share data with third parties. The solution is built upon trust, while maintaining data sovereignty, privacy, and trust. FIAM provides companies with means to identify and authenticate parties consuming user data and govern authorizations through an automated service.

Supplier logo KPN
Federated identity and access management

Specifications

OAuth 2.0 with JWS client assertion.

X.509 certificate chain for trust validation.

Short-lived tokens enforce current consent.

Technical references

How it works

FIAM creates a federated trust network based on the iSHARE framework in which service providers (data holders), users (data owners) and 3th parties (data consumers) each have verifiable identities and authorizations.

A data consumer registers through FIAM and is formally identified and verified using eHerkenning (EH3). The organization then supplies an eSeal (X.509 certificate) that serves as its digital identity in machine-to-machine communication. To complete the onboarding process, the organization has to agree with the terms and conditions to become a data consumer. This provides the legal framework for the data exchange. FIAM records authorizations given by the data owner in a central authorization register. When a data consumer requests data from a data provider, FIAM will verify the request.

This enables a zero-trust approach in which every access request is individually verified at runtime.

fiam-overview

API usage

FIAM uses OAuth 2.0 with a client assertion based on a JSON Web Signature (JWS). The JWS is signed using the private key corresponding to the X.509 certificate that was provided during onboarding. The certificate chain is included in the JWS header so that FIAM can validate the identity and trust level of the requesting party.

A valid JWS is sent to the /token endpoint to obtain a short-lived access token. This token is then used to call FIAM APIs or product data APIs from data providers. The short token lifetime ensures that data access always reflects the most recent customer consent.

Pricing

There are multiple roles in the FIAM ecosystem: data providers, service providers and data consumers. The roles of the Identity provider, Participant registry and Authorization registry are filled by KPN.

Data consumers access data products with data rights holder permission. They are invoiced based on actual usage, which reflects the cost of secure data exchange, infrastructure capacity and trust assurance.

Data and service providers make their data or services available to the ecosystem. The Data Act allows providers to request a fair fee to cover the resources required for making data products accessible. A provider undergoes a certification and onboarding process. The associated fee depends on the scale of the data domain, the maturity of the integration and the expected service footprint and is determined in consultation with our business development team.

The onboarding portal will have the terms and conditions, and contracts of the data provider (Eneco as launching customer) where the detailed pricing details are listed. KPN acts as a facilitator and will not set prices or invoice data transactions between the data consumer and provider. The data provider will invoice a reasonable fee for usage, not KPN

Data Consumer - Uses FIAM to access data products with consent: Usage-based billing, between data provider and consumer.

Data or Service Provider - Offers data products to the ecosystem: Custom pricing

Get in touch: fiam@kpn.com

Customers also viewed

Need help?

Contact our customer service.

Ask your questionFAQs



Home / Products