Identity as a Service:Introduction to federated credential providers

Core features

• Internet of Things (IoT) and Internet of vehicles device security: Provisions unique digital certificates for devices to implement device identity authentication and bidirectional secure communication (such as MQTT platform communication), effectively preventing unauthorized access and data tampering.

• Software and firmware signing: Issues signing certificates for software/firmware to ensure legitimacy verification and tamper-proofing capabilities (for example, Launch Tech's charging pile device firmware verification).

• Enterprise internal resource protection: Protects internal resources such as servers, applications, and containers to meet regulatory compliance requirements (such as data security requirements in finance and healthcare industries).

• Cross-account and region certificate management: Supports cross-account sharing of root CA and region publishing CA, simplifying large-scale certificate deployment (for example, StubHub's PKI architecture reconstruction during cloud migration).

Scenarios

PCA federated credentials in M2M scenarios solve the security interoperability challenges between heterogeneous systems through unified device identity management and cross-domain trust mechanisms. They are particularly suitable for:

• Large-scale device interconnection.

• Cross-organization collaboration environments.

• Industries with high compliance requirements.

Configuration process

If an enterprise or organization has a self-built PCA, you can choose to create a federated credential provider. Using the signing capability of PCA to sign JWT Tokens, when calling the IDaaS authorization server Token endpoint, select the PCA federated credential capability, provide the corresponding root certificate, intermediate certificate list, and client certificate to complete the entire call chain and obtain the Access Token issued by IDaaS.

Core features

The OIDC protocol provides an identity authentication layer based on OAuth 2.0, allowing client services to securely verify user identity and obtain user information.

Scenarios

In M2M scenarios, if the user's client service is deployed in the following environments:

• Kubernetes POD.

• Alibaba Cloud ACK cluster (supporting RRSA mode).

• GitHub workflow.

• CI/CD pipeline.

• Azure VM.

• Google Cloud Compute Engine.

Configuration process

1. Obtain OIDC Token from container or cloud server.

2. Select OIDC federated credential capability when calling the IDaaS authorization server Token endpoint.

3. Provide the corresponding verification public key.

4. Complete the call chain to obtain Access Token.

Core features

• Financial transaction security: Used for signing and encrypting bank transaction data to ensure the authenticity and integrity of transaction instructions (for example, banks protect sensitive operations such as transfers and payments through PKCS#7).

• Electronic government document signing: Government agencies use PKCS#7 for digital signatures on electronic documents, giving them legal effect equivalent to physical seals (such as electronic official documents, legal contracts, and identity authentication).

• Data signing and encryption: PKCS#7 supports digital signing and encryption of messages, widely used in scenarios requiring verification of data sources and prevention of tampering (such as file exchange between enterprises and software distribution). Its formats (such as .p7b/.p7c) can contain multiple signatures and certificates, suitable for complex trust chain management.

Scenarios

Applicable to client services in the following cloud server environments:

• Alibaba Cloud ECS/ECI.

• Amazon EC2.

Configuration process

1. Obtain PKCS#7 signature from cloud server metadata signature endpoint.

2. Select PKCS#7 federated credential capability when calling the IDaaS authorization server Token endpoint.

3. Provide the corresponding verification root certificate.

4. Complete the call chain to obtain Access Token.