FPX Overview
What is FPX?
The IDENTOS Federated Privacy Exchange (FPX) gives people control over their personal data and reduces data silos for a connected online experience. As an Identity and Access Management (IAM) technology platform, FPX provides digital authentication, authorization, and governance capabilities. It enables the creation of secure partner ecosystems with complex integrations across many organizations and services, not just within an enterprise. FPX bridges the gap between partners that require access to user data to provide essential services (service providers) and partners that hold this data (resource servers or data sources).
FPX operates on the foundation of OAuth 2.0 and extends further to include User Managed Access (UMA) in order to put users in complete control of their private data. Users are able to govern which parties have access to their data and where this data is sourced from. All of this is accomplished through a highly configurable authentication and authorization model.
FPX addresses some of the most common problems organizations and their users face with identity management and consent-driven private data sharing:
- FPX enables service providers to access data on behalf of the users to provide a digital service securely and with user consent.
- Simplifies user authentication by easily connecting to trusted identity providers. Leveraging existing digital identities reduces overhead for the service and the end user.
- Eases integrating with various user data repositories, using common industry protocols to make secure API calls.
- Allows a granular approach when defining data flows, making it clear who has access to what data and to what degree.
What Does FPX Enable?
A Trusted Ecosystem for any Domain
FPX provides a secure network to connect service providers (applications that require user data to provide a service), data repositories (systems that store user data and expose APIs to provide that data), and end users. Through this network, systems are connected in a fine-grained way to help organizations achieve their business outcomes: enabling end-user services, minimizing the amount of information shared between services, and providing self-service tools for users to manage their consent to the use of their data.
These features promote efficiency by helping services to authenticate users and receive their data all through the secure platform, instead of doing it all themselves.
Highly Automated Authorization Management and Consent-driven Data Access
The FPX Platform offers a unified and automated approach to managing authorization and data access.
The FPX Authorization Server acts as a secure gateway for incoming data access requests, safeguarding the user's data sources. Network administrators can register multiple data sources, giving users the flexibility to choose from where the data being requested will be provided. Access to the data is only granted with the explicit consent of the data owner. In addition, an FPX Network administrator can pre-configure the Authorization Server in advance with all the necessary information like the types of data, permissions, and the clients (service providers that can access the users' protected information). The Authorization Server can then work with the Wallet Server and the Data Sources (Resource Servers protecting user data) to automatically handle authorization, removing the need for manual intervention at each Authorization Request.
In an FPX ecosystem, individuals have direct control over their data through the ability to provide consent. This level of control makes it easier for individuals to share access to their sensitive personal information. For organizations, FPX also enables direct system-level integrations, allowing services to access parts of the APIs protecting data without involving a user. This is useful when an organization does not need the user's involvement or consent before enabling API access.
Simplified Administration of Data Flows across an Ecosystem
FPX empowers ecosystems to engage in various data flows. A data flow is the exchange of data between organizations that expose APIs providing user data and service-providing applications. With FPX, owners or administrators of an ecosystem can also set rules for these data flows. Once an organization has registered a data source that stores user data, the organization can pre-define the type of data and the level of access that service providers can have, allowing the organization to maintain granular control over how the data is shared and accessed.
Seamless Integration with Varied Data Sources
Organizations across all domains and industries may have their user data stored in disparate formats. The data could reside in custom-built solutions or standard databases. While applications may require access to this user data in order to perform key functions, having to work with many data formats is a significant effort. For example, a service provider who provides insurance services may require access to the insured user's medical records stored within different provincial health records using different data formats. This protected data is most often exposed via APIs that require some form of authentication.
Protecting such APIs at these data sources (or Resource Servers) by enabling only authorized access is one of the key objectives of the FPX platform. In order to effectively protect these APIs, it is imperative to understand how to integrate with these repositories and the types of data they can provide. FPX simplifies this integration layer between the calling application and the data store by providing adapters for commonly used API protection protocols such as OIDC, LDAP, and common data formats, such as FHIR. Leveraging these adapters effectively eliminates the need for clients to write custom code which would have been necessary to make secure calls to these APIs. All API calls are allowed only after users are authenticated and have provided consent to access their data.