The Client

This is a planned government initiative that aims to connect 52 million eligible adults with approximately 40,000 pension providers and schemes. With a connection deadline set for 2026, the program will aggregate data from multiple pension providers as well as the State Pension. It will enable citizens to better plan for retirement, locate lost or forgotten pensions, and make informed financial decisions.

The Challenges

This large-scale initiative requires a highly secure and reliable system to manage identity and access management (IdAM), ensuring that all sensitive financial data is protected while still allowing authorized users to easily access and manage pension information.

The system’s architecture needed to include an identity service, consent and authorization service, and a “pensions finder” service so that users can securely verify their identities to access their pension details. To enable this, the program required the development of a Trusted Directory, a safe and accessible foundational security framework that would serve as the trust anchor for the entire ecosystem.

It was vital that this directory ensured that only verified participants—pension recipients, pension providers, dashboard providers, and approved third-party services—can interact with the system. Security, identity verification, and access control were paramount.

The Journey

Ensono implemented a cutting-edge security architecture, and designed and delivered the core Consent and Authorization (C&A) service. This allows all third-party providers and pension data sources to authenticated and authorize in a structured, secure manner.

The solution was designed and executed with multiple, outcome-focused deliverables:

• Establishing the Trusted Directory:

• A centralized system was created to validate the legitimacy of all participants before they could interact with pension data
• Integration with secure, industry-recognized identity verification sources using Multi Factor Authentication (MFA), enabled a path for robust onboarding

• Implementing multi-layered security and access control, including:

• User-Managed Access (UMA) protocol: For pension holders to grant and revoke access to their data with granular control over permissions
• OAuth2 integration: Ensures token-based authentication, enabling seamless and secure access to pension information
• Mutual TLS (mTLS) authentication: Third parties must obtain a program-issued certificate before accessing the system, guaranteeing secure interactions.

• Ensuring data integrity and authentication measures:

• Onboarding users had to authenticate against verified industry sources before gaining access
• Every provider was issued transport certificates and signing keys to ensure all interactions with the system were cryptographically verified
• JSON Web Token (JWT) and key management strategies were implemented to secure exchanges of data, guarantee data authenticity and prevent unauthorized modifications

• Establishing a scalable, cloud-based architecture:

• The system was built on ForgeRock v7.2, deployed as a highly available Kubernetes (EKS) cluster on AWS
• Secure API endpoints (such as custom ForgeRock IDM endpoints, ForgeRock AM APIs and ForgeRock custom data collections) enabled seamless interactions while enforcing authentication policies through ForgeRock Identity Gateway (IG)
• Synchronization with external data sources, including Salesforce and external databases, allowed efficient data provisioning

The Outcomes Achieved

Ensono’s implementation of the Trusted Directory has established a robust security framework for the client , enabling:

• A secure and scalable foundation that will allow millions of users to connect with their pension data
• Secure authentication and authorization for third-party providers accessing verified pension data
• Full compliance with government security regulations and industry best practices
• Enforcement of access policies, ultimately allowing pension holders to control their data and manage their finances with confidence

Although the broader project is currently paused due to political considerations, Ensono has successfully delivered a crucial component that underpins the program’s security and functionality. The Trusted Directory now ensures that only verified entities can interact with the system, laying the groundwork for a secure and interconnected pensions ecosystem in the future.

The Future

With the Trusted Directory in place, the project now has a scalable and secure identity framework to support future developments and allow it to achieve its ultimate purpose.

As the program progresses, this capability will enable:

• A seamless, user-driven pension tracking experience, where individuals can securely view all their pension details in one place
• Enhanced collaboration between government and private sector pension providers, ensuring interoperability across multiple data sources
• Further integration with new technologies, including potential AI-driven insights into pension planning and financial forecasting
• Increased public trust and adoption, as users gain confidence in a highly secure and user-controlled pension information system

As pension providers and schemes connect to the dashboards, millions of citizens will benefit from an easy-to-use, transparent, and secure pensions tracking system. Ensono’s work, in partnership with Ping Identity, has provided the foundational security that will enable the project to deliver its goals in the years to come.

Get more client success stories like this