# Leveraging the Hashgraph Identity Platform for Federated Identity Across Multiple Organizations ## Abstract This paper explores how the Hashgraph Identity Platform can facilitate federated identity between multiple organizations by employing verifiable credentials and a trusted verifier to authenticate users across distinct systems . The proposed architecture leverages an interoperability platform in a transitional role, ultimately allowing direct connections among organizations’ systems via signed JSON Web Tokens (JWT). The approach enables a scalable trust framework where each organization can verify the credentials issued by others, without relying on a single central authority. --- ## 1. Introduction As digital ecosystems expand, organizations increasingly need to ensure seamless, secure, and privacy-preserving methods of authenticating users across distinct domains. Traditional centralized identity solutions often require complex integrations or reliance on a single authority. Self-sovereign identity (SSI) technology and verifiable credentials enable a more decentralized approach, permitting each organization to manage its own identity infrastructure while trusting credentials issued by other trusted entities in the network . Recognizing these trends, the Hashgraph Identity Platform presents a scalable and compliant framework for identity federation that reduces overhead and strengthens trust relationships among participating organizations. --- ## 2. Background and Motivation Federated identity typically describes a scenario where multiple systems rely on each other’s identity assertions to grant user access. However, establishing federation at scale often leads to burdensome bilateral or hub-and-spoke integrations. By contrast, decentralized platforms such as the Hashgraph Identity Platform allow organizations to harness a shared distributed ledger to record and verify identity data without conferring excessive power to any single participant . For interoperability, a trusted verifier (TV) service can issue short-lived JWTs after validating a user’s verifiable presentation, so that any system trusting the TV can grant or deny access according to its own policies. Key challenges addressed include: - **Interoperability**: Ensuring that heterogeneous systems can read, interpret, and validate verifiable credentials. - **Security**: Preventing credential forgery or impersonation by relying on a decentralized ledger and cryptographic proofs. - **Scalability**: Minimizing the performance bottlenecks inherent in a central authority model. - **User-Centric Control**: Preserving user privacy and consent through verifiable presentations while complying with organizational and regulatory requirements . --- ## 3. Architectural Overview ### 3.1 Roles and Components 1. **User**: Holds a decentralized identity in an identity wallet that can issue verifiable presentations (VP). 2. **System A and System B**: Applications or services belonging to different organizations. 3. **Interoperability Platform (Transitional)**: Serves as a *trusted verifier* during the initial stage of federation. It verifies the validity of VPs and returns a signed JWT. Over time, direct verification among systems is possible by sharing public keys or recognized issuers. 4. **Hashgraph Identity Platform**: Maintains the ledger of decentralized identifiers (DIDs), schemas, and credential definitions for verifiable credentials. It provides the cryptographic framework essential for establishing trust . ### 3.2 Identity Federation Logic 1. **Public Key Exchange**: Each participating organization registers its public keys on the Hashgraph Identity Platform, enabling other members to directly verify signatures if needed. 2. **Trusted Verifier Services**: The Interoperability Platform runs a service that checks the authenticity and validity of a user’s VP, creating trust relationships among previously unacquainted systems. 3. **JWT Issuance**: The Interoperability Platform issues a JWT to the user, which can be presented to any system in the federation. Over time, direct system-to-system verification will gradually replace the Interoperability Platform’s bridging role. --- ## 4. Authentication Flow Below is the step-by-step process for a user, starting with System A as the entry point: 1. **User Initiates Access**: The user requests access from System A. 2. **Verifiable Presentation Request**: System A sends the user a signed Verifiable Presentation Request (VPR), indicating the credentials needed. 3. **Verifiable Presentation Creation**: The user’s identity wallet reviews the request and creates a corresponding verifiable presentation (VP) with the credentials it can fulfill. 4. **Verification Step**: - The user transmits the signed VPR and VP to the trusted verifier (TV) on the Interoperability Platform. - The TV validates that the request was indeed signed by System A and checks the user’s VP for authenticity and integrity. 5. **JWT Issuance**: - Upon successful validation, the TV issues a JWT to the user. - The user’s client (e.g., web browser) includes this JWT as a Bearer token when interacting with System A. 6. **Resource Access**: - System A inspects the JWT's signature and claims, confirming the user’s identity and authorization. - `System A` trusts the JWT because it has stored the public key of the `Trusted Verifier` - The user gains authenticated access to System A. 7. **Cross-System Authorization**: - If the user accesses `System B` that also trusts the TV, the same JWT can be reused (until expiration) to simplify multi-system access. - Over time, by sharing public keys, System A and System B may directly verify each other’s signed tokens, reducing reliance on the Interoperability Platform, allowing all systems to run a Verifier. --- ## 5. Advantages of the Proposed Approach 1. **Decentralized Trust**: Each organization retains control of its public-private key pairs, stored or referenced in the Hashgraph ledger. No single entity monopolizes issuance or verification . 2. **Reduced Bottlenecks**: The Interoperability Platform initially acts as a trusted verifier but is not a permanent single point of failure or performance limitation. 3. **Enhanced Privacy**: The verifiable presentation model ensures that only necessary identity attributes are disclosed (selective disclosure) and that no additional personally identifiable information is leaked inadvertently. 4. **Scalability**: As organizations add or remove systems, the trust network evolves without heavily modifying existing integrations. 5. **User-Centric Convenience**: Users only need one set of credentials in their identity wallet to access multiple systems, improving user experience without compromising security. --- ## 6. Future Outlook While the interim approach requires the Interoperability Platform to function as a universal verifier, the ultimate vision positions direct peer-to-peer verification among systems, provided they share and trust each other’s public keys. By judiciously applying verifiable credentials and DIDs through the Hashgraph Identity Platform, organizations can seamlessly transition away from solely using a central bridging service. This model addresses the complexities of traditional federated identity solutions at scale and underscores the viability of truly decentralized identity infrastructures . --- ## 7. Conclusion Implementing identity federation with the Hashgraph Identity Platform offers the promise of secure, scalable, and interoperable credentials across multiple organizations . By leveraging verifiable credentials validated by a trusted verifier, organizations can simplify identity management while maintaining high assurance levels. In the long term, the platform’s shared trust framework permits direct credential validation without funneling requests through a central intermediary, ultimately leading to a more robust and autonomous identity ecosystem. # Example integration Using the Hashgraph Identity Platform’s trusted verifier model, two organizations—such as the Ministry of the Interior and the Ministry of Education—can securely collaborate while maintaining control over their own data and verifiable credentials (VCs). Below is a step-by-step look at how trust federation works in this scenario: 1. **Defining Access Requirements** - The Ministry of the Interior (MoI) and the Ministry of Education (MoE) discuss and agree on what user attributes or certifications are required for accessing “MASAR,” the MoE-managed service. - They define which VCs must be presented and who is authorized to issue them. This agreement is captured in the form of a Verifiable Presentation Request (VPR) that includes references to the schemas and VCs managed by the MoE. 2. **Crafting the Verifiable Presentation Request (VPR)** - Because both ministries use the Hashgraph Identity Platform, they have a shared ledger for DID (Decentralized Identifier) and schema references. - The MoI uses these common schemas and references to embed requirements for MoE-issued credentials in the VPR. For example, the VPR might dictate “Proof of enrollment in MASAR” or “MoE-approved educational certificate.” 3. **Issuance and Control of Credentials** - The MoE alone can issue the required credentials since it is the authoritative issuer for MASAR-related data. - Users needing access to MASAR must request the necessary credentials from the MoE. Although the application is managed by the MoI, only the MoE can confirm or deny issuance of the relevant VCs, retaining full control over its data. 4. **User Authentication** - When a user attempts to access the MASAR-integrated application, the application (owned by the MoI) provides the user with the signed VPR. - The user’s identity wallet reviews the VPR, sees which credentials it needs, and checks if they have been issued those credentials by the MoE. 5. **Verification via Trusted Verifier** - The user packages their credential(s) into a Verifiable Presentation (VP) aligned with the VPR and sends them to the Trusted Verifier operated on the Hashgraph Identity Platform. - The Trusted Verifier confirms that: 1. The VPR was indeed issued by the MoI. 2. The presented VCs have been properly issued by the MoE, have not been revoked and the signer controls the DID of the `Subject`. - Upon successful verification, the user receives a signed JSON Web Token (JWT) as the Access Token attesting to their valid credentials. 6. **Access Authorization** - The user presents the verifier-issued JWT to the MoI application. - The MoI application trusts the token since it is signed by the Trusted Verifier that both ministries recognize. - The application then grants the user access to MASAR data according to the privileges encoded in the JWT. 7. **Continuous Policy Control** - Both ministries can update their VCs or VPR schemas on the Hashgraph Identity Platform as policies and requirements evolve. - The MoE retains ultimate authority over who receives its credentials; the MoI enforces policies based on the verified credentials. - Trust remains decentralized: each party can audit the ledger to verify the authenticity of credentials, and no single entity can unilaterally change the access rules. Through this approach, each organization stays in control of its own data, credentials, and policies, while still benefiting from the ability to trust credentials issued by the other party. The trusted verifier bridges the gap between the ministries in a way that is both secure and privacy-preserving. ```plantuml @startuml Identity Federation !include https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/master/C4_Container.puml title C4 Container Diagram - Hashgraph Identity Platform System_Boundary(moi_system, "MoI IT System"){ Person(User, "User", "End user with an Identity Wallet") System(IDWallet, "Identity Wallet", "Mobile app to manage verifiable credentials and create verifiable presentations") System(MoIApp, "MoI Application", "Application accessing MoI data with an integration to MASSAR") } System_Ext(trustedVerifier, "Trusted Verifier", "A verifier operated by ADD and trusted by all ministries") System_Ext(MASSAR, "MASSAR API", "The MASSAR API endpoints which are used by the MoI App") Rel(User, IDWallet, "approve [3]") Rel(User, MoIApp, "Use Application [1]") Rel(MoIApp, IDWallet, "Retrieve VPR [2]") Rel(IDWallet, trustedVerifier, "Exchange VP for JWT [4]") Rel(IDWallet, MoIApp, "Send JWT [5]") Rel(MoIApp, MASSAR, "access API by providing JWT [6]") @enduml ```