Embed Size (px)
Citation preview
Use Case: Denmark - Citizen PortalDenmark - Citizen Portal,& Shared Login-service
Liberty workshop, March 20th, 2007@Directorate of Public Roads officeDirectorate of Public Roads office(Statens vegvesen vegdirektoratet)
Center for Service Oriented InfrastructureD i h N ti l IT d T l ADanish National IT and Telecom AgencyIT Architect Søren Peter Nielsen
Agenda
DisclaimerTimeline for Danish Citizen Portal My Page: Plans and current statusIntegration ModelShared Login Service and phases for build-g pout
DisclaimerI’m not the Architect on the Danish Citizen I’m not the Architect on the Danish Citizen Portal
But I can tell you something about it anywayBut I can tell you something about it anyway
I’m the Architect on Danish Public Sector Federation Initiative
And I will tell you a bit about that as well
Timeline for the Danish Citizen PortalDecision to establish made in 2006
Version 1.0 agreed between Ministry of Science and KL (local governments organisation)(local governments organisation)Funding for Version 2.0 with My Page agreed by all three levels of government
Borger.dk – version 1.0 Launch, January 1st, 2007C d b iCreated by merging
Danmark.dk – Informational PortalNetborger.dk – PDF & e-forms portalg p
Borger.dk – version 2.0 with My PageFirst version of My Page scheduled to launch Q1, 2008All relevant solutions on Mý Page by 2012
Borger.dk – version 1.0
Portal for approx. 600 solutions from local, i l d t l tregional and central government
Statistics Jan 3rd – 29th398 662 unique users398.662 unique users(2.302.268 page views)
Borger.dk – version 2.0
P l LPortal Layer
Shared Services
Self Service SolutionsAuthority Authority
A thin portal – the ”Display window”
The Road Towards My Page
Integration ModelIntegration ModelTechie and Process PerspectiveIntegrating Service Providersg g
Conceptual ModelConceptual ModelComposition, Interaction, UI etc
Requirements Specs
DevelopmentDevelopment
Vision and Concept for My Page
Vision and Concept for borger.dk in 2012
Vision and Concept for borger.dk in 2008
”What expects the citizen from the public
sector in 2012?”
•Technical options
•Stakeholder”What is possible in
2008?”
g
sector in 2012?
•12 hypothesises for 2012
dialogue•IT Maturity at
authorities•Usability
•Define Core service•Most utilized
l ti0•Scenario workshops•Research etc.
•Usabilitytesting
•Personas
solutions•Technology•Time
12 Personas have been developed
Christian 19Ahmad 34 Birgit 60 Helle 42 VejleAnna 27 Bjørn 64 Christian, 19, Nakskov
Ahmad, 34, Nørrebro
Birgit, 60, Korsør
Helle, 42, VejleAnna, 27Århus
Bjørn, 64, Hjørring
Maria 34 Mehtap 21 Peter, 33, Frederiksberg
Maria, 34, Østerlars
Mehtap, 21, Albertslund
Rikke, 18, Birkerød
Henrik, 25, Sønderborg
Lars, 58,Svendborg
Integration Model
Developed to cover both Citizen Portal and Business Portal Describes how service providers can hook up to the portal choosing between four ways of integrationintegrationInput added from Technical Proof of Concept
++
Links and iframes WSRP-portlets JSR168-portlets
How is Authentication and SSO handled in the Portal for the four ways of integration?four ways of integration?
Authentication and SSO in the Portal
überPortal
- Bruger
Links and iFramesLinks and iFrames
Myndighedsportal A Myndighedsportal B
Authentication and SSO in the Portal
überPortal – og Vejviser
- Bruger
Loginservice (IdP)
Identity Provider (IdP)
Service Provider (SP)
SAML 2.0 for Links and iFrames Myndighedsportal A Myndighedsportal B
Remote Portlet og Composite Portlet
überPortalWSRP
- Bruger
Composition
Bruger
WebserviceWebservice
Webservice
WSRP…is tougher
Service BService C
WSRP
Identitty?Identity?
Identity?Integration Modelwill describe tactical
Myndighedsportal A
Identity?will describe tactical integration methods
Current Portal On-Boarding ProcessId
PId
P
IdPaftale
Etablér kontakt til portal-ejer
Udarbejd aftale med portalejer
Planlæg tests og staging
eudb
yder
Proj
ekt-
lede
r GodkendGo live
for service
Vælg integrations-
form, tests mv.
Udvikl service
Gennem-før tests
og staging
Opmærk service
Registrer service hos IdPS
ervi
ceU
dvik
ler
Rådgiv om valg af
integrationsfovikl
ing
s-u
ppor
t
Kontaktinformation
Rådgiv om integration
Initielrådgivning
Tilslutnings-aftale
Integrations-rådgivning
Test- og releaseplaner
Test-resultater
Go liveaftale
integrationsform mv.
Etablér support til
service-udbyder-e
jer
Udv su
Acco
unt
man
ager
integration
Forbered QA- og
produktions-miljø
Go live for service
Por
tal-
Drift
-an
svar
lig Planlæg tests og staging
Gennem-før tests
og staging
s-
Godkend aftale med service-udbyder
GodkendGo live
for service
Besl
utni
ngs
tage
r
IdP – Identity Provider
The Danish Public Sector Federation Trust i ti i b i t bli h d organization is being established now
P i i lPrinciplesOpen Federation!Open and Flexible Architecture!Standards Based!Phased Build-OutSupport for First Comers
Functionality in the first phase will basicallyFunctionality in the first phase will basically be Web Single Sign On
Loginservice Adgangspolitikker og evt. konti for eksterne brugerekonti for eksterne brugere
Adgangspolitikker
Potential next phases:
Delegation/Auth by ProxyID based web services (Liberty concept)
phases:
Adgangspolitikker og evt. konti for eksterne brugere
( y p )IdP in 2nd rowSmarter Provisioning also an important issue
A Final Note
These are very exiting times – There are high expectation for the citizens Portalexpectation for the citizens PortalThe push to establish the portal drives the development of supporting standards development of supporting standards, architectures and componentsThese standards, architectures and components These standards, architectures and components also enables other kinds of solutionsAre we about to pass a treshold – which really p yallows us to offer a much higher degree of a services oriented public sector?
More Info
Read more about the Danish Citizen Portal at this li k (i D i h)link (in Danish)
http://modernisering.dk/moderniseringdk/projekter/faellesoffentlig_borgerportal/
Read more about the Danish motivations for choosing SAML 2.0 here
http://www.oio.dk/arkitektur/brugerstyring/english/saml
Status - PoC
Borgerportal/Consumer sideBOK opsætter i samarbejde med NNIT et PoC miljø med d k i B dkudgangspunkt i Borger.dk
Identity Provider (IdP)Taskforce’en og ITST forventer at opstille IdP til PoCDialog med Skat
Aftaler: Serviceproviders
+
EBST Rødovre Kommune
Sundhed.dk/IBMKMD Færdselsstyrelsen/IBM+CSC
Gem fig
Hvad skal der til for at Service-Providerne kan modtage SAML-beskederProviderne kan modtage SAML beskeder
Overholde conformance-krav og profiler, som vist på sidste 24 timervist på sidste 24 timerHertil er der principielt – mindst – 4 muligheder1. Eje/Anskaffe en integreret identity management suite -1. Eje/Anskaffe en integreret identity management suite
som også har federation-funktionalitet 2. Købe/Leje en dedikeret adapter som kan modtage
SAML og integrere med bestående systemerSAML og integrere med bestående systemer3. Bruge en Open Source løsning4. Købe funktionaliteten som en serviceøbe u t o a tete so e se ce
Til PoC’en må det være oplagt at spørge SW-leverandør om man ikke vil stille SW som kan dække punkt 1 eller 2 til rådighed i PoC-perioden
å l l lHvis man på længere sigt vil lave en ”roll-your-own” er der flere open y psource muligheder
Og nu er der godt overblik over dem på
openLiberty.org
InfoWorld - Portal aids development of identity-based apps OpenLiberty offers tools libraries to build apps usingOpenLiberty offers tools, libraries to build apps using Web services standards endorsed by Liberty Alliance
http://www.infoworld.com/article/07/01/23/HNidentityappsportal_1.
SAML2 and ID-WSF together
ID WSF Th SP ( ti
SAML2: The SP uses SAML2 to obtain the identity
ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke
services at the WSPs on Jane’s behalf..
to obtain the identity credential for Jane.
SP/WSCWSP
WSP
ID-WSF
SAML2IdP DS
ID WSF
WS-SXWS-SX
ID-WSF – New Concepts
Web Services Client (WSC): typically, the invoker/consumer of an identity-based service
W b S i P id (WSP) t i ll th id f Web Services Provider (WSP): typically, the provider of an identity-based service
Data Services Template (DST): provides an extensible framework to produce new Identity-based Services above the protocol stack, allowing interoperability e.g.: ID-Personal Profile and ID-Employee Profile
Discovery Service (DS): Facilitates the registration and subsequent discovery of Identity-based services
Interaction Service (IS): allows WSPs to obtain authorizations ( )and information directly from users.
Authentication Service (AS): Authenticates Principles and provides appropriate credentials for accessing ID-WSF systems provides appropriate credentials for accessing ID WSF systems (analogous to IdP in ID-FF).
En Serviceprovider
Skal kunne håndtere service-provider-delen af Dansk SAML SSO profil
Som findes i udkast på www.oio.dk/arkitektur/brugerstyringHerunder skal serviceprovide etablere en sikker forbindelse til Login-servicentil Login servicen
Skal overholdes SAML 2.0 Conformance requirements til Service Provider eller Service Provider Lite
E l kk k i ll d kt tifi t til t En lang række kommercielle produkter er certificeret til at overholde disse conformance requirement
Derudover er der en række open source biblioteker og implementeringer, som støtter SAML 2.0
OpenSAML, LABAN, OpenSSO, …
Den taktiske udfordring
Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenariog y y g y
Service Provider
Loginservice (IdP) Attribute
Service
Loginservice (IdP) Attribute
Service
SAML 2.0
- Citizen- Private employee- Public employee
LoginWeb or Local network
SAML 2.0
p yCertAuth
Existingpin-codesuid/pw
CertAuth
Existingpin-codesuid/pw
Existingpin-codesuid/pw SAML 2.0
Service Provider
L i
GatewayWS-FED token
SAML 2.0 token
The desired gateway should allow service requesters to enter the federation using the
- Public employee LoginWS-federation w/ SAML 1.1.token
The desired gateway should allow service requesters to enter the federation using the WS-Federation specification and then convert the WS-Federation supplied token (presumably a SAML 1.1 token as user attributes also should be transferred) to a SAML 2.0 token Service Provider
Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenariog y y g y
requires High confidence in asserted identity's validity
Service Provider
Loginservice (IdP) Attribute
Service
Loginservice (IdP) Attribute
Service
SAML 2.0
- Citizen- Private employee- Public employee
LoginWeb or Local network
SAML 2.0
requires Some confidence in asserted identity's validityp y
CertAuth
Existingpin-codesuid/pw
CertAuth
Existingpin-codesuid/pw
Existingpin-codesuid/pw SAML 2.0
asserted identity s validity
Service Provider
L iGateway
The issue for the gateway scenario is when the service provider requires High confidence
- Public employee LoginWS-federation w/ SAML 1.1.token
requires High confidence in asserted identity's validity
The issue for the gateway scenario is when the service provider requires High confidence in asserted identity's validity. This requires the assertion to be signed at the point of origin. However, even if WS-Federation allows for signing the SAML 1.1 token this signature cannot be maintained when being converted to a SAML 2.0 token Service Provider
Den strategiske udfordring
ID-WSF og WS-SX kan ikke samvirke
ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke
services at the WSPs on Jane’s behalf..
SAML2: The SP uses SAML2 to obtain the identity credential for Jane.
SP/WSCWSPWSP
WSP
SAML2IdP DS
ID-WSF
SAML2
WS-SX
Behov: ID-WSF og WS-SX kan samvirke
ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke
services at the WSPs on Jane’s behalf..
SAML2: The SP uses SAML2 to obtain the identity credential for Jane.
SP/WSCWSPWSP
WSP
SAML2IdP DS
ID-WSF
SAML2WS-SX
Der er behov for N-tier authentication
Figur er lånt fra præsentation om Shibboleth-WS vs. WS-Shibboleth vs. SAML 2.0 SSO with Constrained Delegation by Francisco Pinto and Christian Fernau, 14 november 2005
N-tier authentication
Nuværende SAML-profiler dækker til og med 2-tier
Figur er lånt fra præsentation om Shibboleth-WS vs. WS-Shibboleth vs. SAML 2.0 SSO with Constrained Delegation by Francisco Pinto and Christian Fernau, 14 november 2005
Niveauer for autenticitetssikring
Niveau 1 - Lille eller ingen tiltro til påståede identitet identitet Niveau 2 - Nogen tiltro til påståede identitet Niveau 3 - Høj tillid til påståede identitet Niveau 4 - Meget høj tillid til påståede id tit tidentitet
Anbefalet niveau bestemmes ud fra Anbefalet niveau bestemmes ud fra vurdering af risici
= hvilke konsekvenser, der kan forekomme ved ,fejl og sandsynligheden herfor
Til h t i d t k i k Til hvert niveau er der tekniske foranstaltninger, fx
Niveau 1 – fx Ingenting, CookiesLille eller ingen tiltro til påståede identitet
Ni 2 f B /k d d Niveau 2 – fx Brugernavn/kodeord Nogen tiltro til påståede identitet
Niveau 3 – fx Digital Signatur Høj tillid til påståede identitet
Niveau 4 – fx Flerfaktor tokens, Biometriske løsninger,.. Meget høj tillid til påståede identitetMeget høj tillid til påståede identitet
Vejledningen dækker ikke anbefalinger om konkrete teknologier. Der henvises til Electronic Authentication teknologier. Der henvises til Electronic Authentication Guideline fra NISTHvilke tekniske foranstaltninger der passer til hvert niveau kan revurderes med mellemrum UDEN at der er behov for nogen grisiko/forretnings-mæssige vurdering af eksisterende løsninger. De bestemte niveauer for autenticitetsikring er stadig valide.
