About Citizen Access

With WorkZone Citizen Access citizens can view the meta data of specific cases and documents that are saved in WorkZone even if the citizens are not registered as WorkZone users. Citizens must log in with a digital ID in a client, a portal, or a form and will then get access to view the meta data of specific cases and documents that they have been granted access to. In this release, it is not possible to view or download documents.

• Portal integration – You can build specific applets or forms as marked cases and documents that allow non WorkZone users to access "My cases" or "My documents".

• WorkZone Interact integration – You can create an Interact form that selects cases and documents that are relevant to a citizen's inquiry, for example, a selection of documents.

As an example, a Danish citizen can access WorkZone data by logging into an Interact form with MitID (the Danish digital ID). When a citizen logs in with MitID credentials, a request is redirected to the KMD Identity for authentication and post authentication. The Interact form gets the user claims from the KMD Identity and then passes the claims to the WorkZone Application Proxy Service to communicate with Identity Data Service to retrieve the meta data of cases and documents.

Architecture

The diagram below shows the architecture of the Citizen Access module.

Authentication

MitID authentication

Cititizens in Denmark will log in to a client/form/portal for authentication using MitID credentials.

Azure authentication

Azure authentication is used to authenticate the request coming to the OData Service by using Azure App Client ID and Secret.

Components

WorkZone Application Proxy Service

WorkZone Application Proxy Service is an endpoint for customers to consume WorkZone data using WorkZone Identity Service (IDS). This Service exposes the endpoints for other applications such as Workzone Client Application (UI for authentication), WorkZone Interact , or any other third-party provider who wants to consume this service to access WorkZone data.

This service is a containerized service that is deployed in Azure AKS using DevOps pipelines. Post authentication of citizens, this service is called by providing the end user claims details with the required payload/input parameters. Also, WorkZone Application Proxy Service sends a request to Azure API Gateway.

The endpoints can provide the information that belongs to the citizen such as listing the cases, case details, and documents associated with the case.

WorkZone Identity Data Service (IDS)

This is the proxy service for OData Service (Containerized). This service is called by Azure API Gateway to interact with the OData Service by providing the required input parameters such as Authentication token, external ID (MitID), and the query parameters to the OData Service to retrieve the data and will send the response back to WorkZone Application Proxy Service.

The WorkZone Identity Service provides:

• Restricted access to WorkZone data for external contacts.

• Standard integration to MitID with a later option for other providers.

• Secure access to data via reverse proxy.

• Only access to cases with marked access for contacts.

• Logging of data access via the WorkZone use log.

You can use WorkZone Identity Service in different integrations.

Demilitarized Zone (DMZ):

A DMZ or demilitarized zone is a perimeter network that protects and adds an extra layer of security to an organization’s internal local-area network from untrusted traffic.

The main benefit of a DMZ is to provide an internal network with an advanced security layer by restricting access to sensitive data and servers. A DMZ enables website visitors to obtain certain services while providing a buffer between them and the organization’s private network.

WorkZone Application Proxy Service will be deployed in the DMZ with two firewalls. A firewall while accessing the WorkZone Application Proxy Service and a second firewall while accessing IDS.