Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29178 — Mobile Identification — Service Broker
A Technical Guide for Engineers and System Architects
1. Service Broker Architecture for Mobile Identification
ISO/IEC 29178 specifies the service broker functional architecture for mobile identification systems. The broker acts as an intermediary that mediates between identification service providers (ISPs) and relying parties, abstracting the complexity of multiple identification schemes behind a unified service interface. This decoupling enables application developers to integrate mobile identification without needing to understand the intricacies of each underlying identity provider.
When designing a service broker, separate the orchestration logic from the provider adapters using a plugin architecture. This allows new identity providers to be added without modifying the core broker engine — a pattern proven in enterprise service bus implementations.
The broker’s core functions include service discovery (maintaining a registry of available ISPs), request routing (directing identification requests to the appropriate provider based on context and policy), and protocol bridging (translating between the broker’s canonical protocol and each ISP’s native protocol). The standard defines a minimal set of operations that every broker must support: register, discover, invoke, and notify.
| Broker Function | Description | Key Protocol Element |
|---|---|---|
| Service Registry | ISP capability advertisement | WSDL / OpenAPI descriptor |
| Request Router | Policy-based routing | XACML policy rules |
| Protocol Bridge | Canonical protocol translation | REST ↔ SOAP / LDAP |
| Transaction Monitor | Non-repudiation logging | Audit trail (RFC 3881) |
2. Service Composition and Choreography
One of the most powerful features in ISO/IEC 29178 is the service composition capability. The broker can orchestrate multiple identification services into a composite workflow — for example, combining primary authentication with step-up authentication when a high-value transaction is requested. The choreography is defined declaratively using BPMN-like process definitions, enabling business analysts to modify workflows without programming.
Service composition introduces non-trivial latency — each additional step in the identification chain adds 100-500 ms. Use parallel invocation for independent checks and cache intermediate results to keep total user experience under 2 seconds.
The standard defines three composition patterns: sequential (each service runs in order), parallel (services run concurrently), and conditional (branches based on context attributes). Error handling is critical in compositions: the broker must support compensatory actions to roll back partial completions when a downstream service fails. The specification recommends the Saga pattern for long-running transactions.
3. Quality of Service and Engineering Considerations
ISO/IEC 29178 mandates specific QoS metrics for broker implementations: throughput (minimum 100 transactions per second per broker instance), availability (99.95% uptime), and maximum response time (500 ms for simple brokering, 2 seconds for composite flows). The standard also requires circuit-breaker patterns to prevent cascading failures when upstream ISPs become unresponsive.
Using a distributed hash ring (consistent hashing) for broker instance discovery eliminates single points of failure and provides linear scalability. Each broker instance handles a subset of the identifier namespace, and ring updates propagate within seconds using gossip protocols.
From a security standpoint, the broker operates as a privileged intermediary — it must authenticate both ISPs and relying parties, enforce access control policies, and maintain an immutable audit log. The standard mandates TLS 1.3 for all inter-component communication and recommends mutual TLS (mTLS) authentication between broker instances to prevent man-in-the-middle attacks in distributed deployments.
Broker impersonation is a severe threat. If an attacker controls a rogue broker instance, they can intercept all identification traffic in that domain. Every broker instance must present a certificate issued by a domain-specific CA, and relying parties must verify the broker certificate chain before sending any identification request.
Monitoring and observability are also addressed in the standard. Each broker must expose health check endpoints (liveness and readiness probes) and publish metrics on request volume, latency distribution, error rates by ISP, and cache hit ratios. The standard recommends integrating with Prometheus or equivalent monitoring systems and setting alerts on three key thresholds: (1) error rate exceeding 5% over a 5-minute window, (2) p99 latency exceeding 1 second for simple lookups, and (3) any ISP circuit-breaker tripping open. These alerts enable operations teams to respond to degradation before it affects end users.
FAQs
Q: How does 29178 relate to 29177?
A: 29177 handles identifier resolution (where is this identifier managed?), while 29178 handles service brokering (which identification service should I use?). They complement each other in a complete mobile identification architecture.
A: 29177 handles identifier resolution (where is this identifier managed?), while 29178 handles service brokering (which identification service should I use?). They complement each other in a complete mobile identification architecture.
Q: Can the broker support federated identity protocols like OpenID Connect?
A: Yes. The protocol bridge layer can translate any standard identity protocol into the broker’s canonical format. OIDC, SAML 2.0, and WS-Federation adapters are defined in the standard’s annex.
A: Yes. The protocol bridge layer can translate any standard identity protocol into the broker’s canonical format. OIDC, SAML 2.0, and WS-Federation adapters are defined in the standard’s annex.
Q: What is the recommended deployment topology?
A: Active-active cluster with a minimum of three broker nodes behind a layer-7 load balancer. Each node should be stateless with session state stored in a distributed Redis cluster for failover resilience.
A: Active-active cluster with a minimum of three broker nodes behind a layer-7 load balancer. Each node should be stateless with session state stored in a distributed Redis cluster for failover resilience.
