Daemon Directory Services Ltd

Identity Federation Service

The DDS Identity Federation Service (IFS) is an authentication and authorisation "routing hub" offering federated single-sign-on to cloud hosted services. The IFS hub supports all industry standards for authentication, authorisation, (SAML, OAUTH etc.) and is delivered as a fully managed cloud service or as a partially-managed on-premise application.


  • Federates identity customer identity sources, ADFS, Oracle etc.
  • Provides Single-Sign-On (SSO) authentication services
  • Supports modern authentication & protocols; SAML, OpenId-Connect, OAUTH etc.
  • Provides application access control and attribute personalisation
  • Provides RESTful interfaces for Attribute management
  • Consolidation of internal and external AD & HR staff data
  • Optional connectors support legacy networks such as Windows 2003
  • User-facing staff directory service, with personal skills profiles
  • Provisioning service for application/service access management


  • Supports a department's adoption of cloud services
  • Reduces management using tools such as automated on-boarding
  • Improved management, using automated proactive monitoring tools
  • Easy integration through the support for identity protocols and standards
  • Secure design, developed for government using NCSC patterns and principles
  • Immediate availability as a cloud service


£0.25 to £1.25 per user per month

  • Free trial available

Service documents

G-Cloud 9


Daemon Directory Services Ltd

Max Northwood

01206 299288


Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to The IFS is a suite of services that supports any cloud service needing single sign on. The federation service provides a "hub" that routes authentication requests to different Identity Providers The consolidation service provides the customer with a unified view of multiple directory sources, directly supporting the federation service.
Cloud deployment model Hybrid cloud
Service constraints Identity Provider services intending to connect to the IFS hub need to support at least one of SAML-P, WS-Fed, OAUTH or OpenId-Connect authentication/authorisation protocols. Dependent services (Relying Parties) intending to connect to the hub also need to support one of the above protocols.
System requirements If installed locally requires Windows Server VM per service

User support

User support
Email or online ticketing support Email or online ticketing
Support response times All incidents are graded by priority, then: Priority 1 - Response in 2 hours, Fix guaranteed within 1 day; Priority 2 - Response in 4 hours, Fix within 2 days; Priority 3 - Response in 1 day, Fix within 3 days; Priority 4, Response within 4 days Fix within 4 days
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels A service help desk is included in the service package. All incidents reported to the help desk are recorded in the CRM system and graded by priority 1-4. A Technical Account manager is assigned to a customer on commencement of the service. A Technical Engineer is assigned to any reported incident. A full service report, describing the nature of the fault and its fix is available to the customer on resolution of the incident.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The IFS service is transparent to the customer’s users but does require to be connected to both the customer’s multiple Identity Providers (IdPs), and any cloud services to which it will be providing single-sign-on authentication. The IFS service supports all commonly used identity and authentication standards and protocols but requires IdPs and RPs to similarly support these standards. Each IdP will need to support one of SAML or WS-TRUST, or OpenId Connect protocols, its is on-boarded into the IDFS hub by an exchange of Certificates and meta data. Each RP is connected to the IDFS hub is a similar manner, with an exchange of Certificates and meta data.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The IFS service does not persist data and so has no end-of-contract data extraction requirement. T
End-of-contract process At the point that the customer disengages form the service the service connections are closed for the customers users. Any persisted customer data (i.e.: configuration setup, meta data etc.) is retained for a period of 3 months and then deleted permanently. This allows the customer to reconnect to the service within that period with their last used settings intact.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The web browser interface has been developed using HTML5 and the "Bootstrap" library which supports different form factor devices out-of-the-box. All browser interfaces are rigorously tested on representative devices from Apple, Android and Windows mobile to ensure compatibility for different form factors.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing A third party company specialising in web site accessibility was engaged to independently validate the key web application interfaces in the DDS suite.
What users can and can't do using the API The service has a set of Business-to-Business (B2B) APIs for third party applications to access the staff profile and directory data within the system. The APIs support SOAP, REST and (for the directory work) LDAP protocols. The APIs are read only with functions for searching the data (against a search string) and retrieving specific data objects (against a key). Access to the APIs controlled by validating the calling application's credentials.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The web interface can be customised at an organisation level by applying a 'branding' (or 'theme') for the pages. Users cannot individually customise the pages.


Independence of resources All DDS services are designed for scalability and resilience by using clustering. DDS will scale the compute power of the service by adding additional VMs and VM resources (CPU cores, RAM and Disk) as needed.


Service usage metrics Yes
Metrics types All DDS software records usage within the application logs. This information includes the total number of user requests, duration of the response to the request, with rolling average of usage totals and average response times.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach DDS makes staff directory and related meta data data available to customers' administrators on request through the application management portal. Data can be sliced in different ways (e.g.: by data set, by field, by period etc. and can be downloaded as a file in a selected format.
Data export formats
  • CSV
  • Other
Other data export formats LDIF, XML
Data import formats
  • CSV
  • Other
Other data import formats LDIF, XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The availability if the service is 99.5%. The maximum unplanned service downtime is 3.6 hours per calendar month.Availability of the service is measured by the ability to deliver the web application service to the Internet, not end user accessibility, which may be affected by an agency’s local network supplier. Periods of scheduled maintenance are excluded from the calculation of Availability.
Approach to resilience Available on request
Outage reporting The DDS Help Desk is the source of information for calculating availability. The Availability is measured as a percentage of the total actual available time against total planned available time incurred during a Payment Period.
Email alerts defining scheduled maintenance times and unscheduled downtime will be sent to registered customer administrators.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels The application suite has web browser interfaces for administration. This is secured by (a) at a user level by access control and single-sign-on, and (b) optional white-listing of IP addresses for management access.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Accreditation inherited from AWS
ISO/IEC 27001 accreditation date Unknown
What the ISO/IEC 27001 doesn’t cover Accreditation covers the environment the applications are operating in. The application code was accredited earlier in a different operating environment (at the Home Office) in 2015 by AmethystRisk for operation at the then IL3 level.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Inherited from AWS accreditation
PCI DSS accreditation date Unknown
What the PCI DSS doesn’t cover The accreditation applies to the operating environment. The application was been accredited by AmazonRisk in 2015
Other security accreditations Yes
Any other security accreditations
  • Application was CHECK (tested) in 2015 by Digital Assurance
  • Application accredited to IL3 for use with Home-Office and DWP

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes DDS employs third party organisations to advise and assure its security procedures. This has resulted in a formal documented security policy which staff are required to abide by. This is aligned with ISO27001 principles and has been validated by our security advisers.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach DDS manages all application changes using its change control system. This records each component changed, the date, and related change
details such as the reason for the change, the change team, the tester and tested undergone. Each component and any changes applied to them are unit and system tested during their development and subjected to OWASP security testing. Each component of the application carried a version and revision level which are tracked in the application package.
Vulnerability management type Supplier-defined controls
Vulnerability management approach DDS software is regularly run through two vulnerability scanner; OWASP and teh 'BURP Scanner'. These test kits are regularly updated to ensure the latest threats are being tested for. Vulnerabilities regarded as critical are patched within a week of detection. Less serious vulnerabilities are patch on 1 month cycle.
Protective monitoring type Supplier-defined controls
Protective monitoring approach DDS aligns its protective monitoring againstCESG/NCSC's GPG13 guidelines. All critical actions and events within the application software are recorded on multiple log files held on virtual WORM drives. The resulting log files are scanned for exceptional situations through LogicMonitor.
Incident management type Supplier-defined controls
Incident management approach Incidents are logged at the DDS Help Desk, either by phone or email. The DDS Help Desk accepts responsibility for the call and progresses towards its Resolution. The Call remains open and until the customer Agrees that the incident can be closed. The DDS Help Desk may impose a ‘STOP CLOCK’ if the Customer is unable to provide sufficient information and the DDS Help Desk is unable to proceed with the Incident Resolution. Incidents are reported back tot he customer in monthly reports.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Public Services Network (PSN)


Price £0.25 to £1.25 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A free trial can be order for a period of one month. The free trial will require the customer to provide a once-off data set in a compatible format for DDS to load into the system. The data specification for this upload is available on request.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑