Use Case: Center for Service Oriented Infrastructure. IT Architect Søren Peter Nielsen. & Shared Login-service. Liberty workshop, March 20th, 2007 @

Use Case: Denmark - Citizen Portal, & Shared Login-service Liberty workshop, March 20th, 2007 @ Directorate of Public Roads office (Statens vegvesen vegdirektoratet) Center for Service Oriented Infrastructure Danish National IT and Telecom Agency IT Architect Søren Peter Nielsen

Agenda Disclaimer Timeline for Danish Citizen Portal My Page: Plans and current status Integration Model Shared Login Service and phases for build- out

Disclaimer I m not the Architect on the Danish Citizen Portal But I can tell you something about it anyway I m the Architect on Danish Public Sector Federation Initiative And I will tell you a bit about that as well

Timeline for the Danish Citizen Portal Decision to establish made in 2006 Version 1.0 agreed between Ministry of Science and KL (local governments organisation) Funding for Version 2.0 with My Page agreed by all three levels of government Borger.dk version 1.0 Launch, January 1st, 2007 Created by merging Danmark.dk Informational Portal Netborger.dk PDF & e-forms portal Borger.dk version 2.0 with My Page First version of My Page scheduled to launch Q1, 2008 All relevant solutions on Mý Page by 2012

Borger.dk version 1.0 Portal for approx. 600 solutions from local, regional and central government Statistics Jan 3rd 29th 398.662 unique users (2.302.268 page views)

Borger.dk version 2.0 Portal Layer Shared Services Authority Authority Self Service Solutions A thin portal the Display window

The Road Towards My Page Integration Model Techie and Process Perspective Integrating g Service Providers Conceptual Model Composition, Interaction, UI etc Requirements Specs Development

Vision and Concept for My Page Vision and Concept for borger.dk in 2012 What expects the citizen from the public sector in 2012? 12 hypothesises for 2012 Scenario workshops Research etc. Technical options Stakeholder dialogue IT Maturity at authorities Usability testing Personas Vision and Concept for borger.dk in 2008 What is possible in 2008? Define Core service Most utilized solutions Technology Time

12 Personas have been developed Ahmad, 34, Anna, 27 Birgit, 60, Bjørn, 64, Christian, 19, Helle, 42, Vejle Nørrebro Århus Korsør Hjørring Nakskov Henrik, 25, Sønderborg Lars, 58, Svendborg Maria, 34, Mehtap, 21, Østerlars Albertslund Rikke, 18, Birkerød Peter, 33, Frederiksberg

Integration Model Developed to cover both Citizen Portal and Business Portal Describes how service providers can hook up to the portal choosing between four ways of integration Input added from Technical Proof of Concept + Links and iframes WSRP-portlets JSR168-portlets

How is Authentication and SSO handled in the Portal for the four ways of integration?

Authentication and SSO in the Portal - Bruger überportal Links and iframes Myndighedsportal A Myndighedsportal B

Authentication and SSO in the Portal - Bruger überportal og Vejviser Loginservice (IdP) Identity Provider (IdP) Service Provider (SP) SAML 2.0 for Links and iframes Myndighedsportal A Myndighedsportal B

Remote Portlet og Composite Portlet überportal WSRP Composition - Bruger Webservice Webservice Webservice is tougher WSRP Integration Model will describe tactical integration methods Identitty? Myndighedsportal A Service B Identity? Service C Identity?

Current Portal On-Boarding Process IdP IdP aftale Service eudbyder Projektleder Udvikler Etablér kontakt til portal-ejer Vælg integrationsform, tests mv. Udarbejd aftale med portalejer Udvikl service Opmærk service Registrer service hos IdP Planlæg tests og staging Gennemfør tests og staging Godkend Go live for service Kontakt information Initiel rådgivning Test- og releaseplaner Tilslutningsaftale Integrationsrådgivning Testresultater Go live aftale Udv viklingsupport su Rådgiv om valg af integrationsfo rm mv. Rådgiv om integration Account manager Etablér support til serviceudbyder Planlæg tests og staging Forbered QA- og produktionsmiljø Portal- -ejer Driftansvarlig Gennemfør tests og staging Go live for service Beslutnings s- tager Godkend aftale med serviceudbyder Godkend Go live for service

IdP Identity Provider The Danish Public Sector Federation Trust organization is being established now Pi Principlesi Open Federation! Open and Flexible Architecture! Standards Based! Phased Build-Out Support for First Comers

Functionality in the first phase will basically be Web Single Sign On Loginservice Adgangspolitikker og evt. konti for eksterne brugere Adgangspolitikker Potential next phases: Delegation/Auth by Proxy ID based web services (Liberty concept) IdP in 2nd row Smarter Provisioning also an important issue Adgangspolitikker og evt. konti for eksterne brugere

A Final Note These are very exiting times There are high expectation for the citizens Portal The push to establish the portal drives the development of supporting standards, architectures and components These standards, architectures and components also enables other kinds of solutions Are we about to pass a treshold which really allows us to offer a much higher degree of a services oriented public sector?

More Info Read more about the Danish Citizen Portal at this link (in Danish) http://modernisering.dk/moderniseringdk/projekter/faellesoffentlig_borgerportal/ Read more about the Danish motivations for choosing SAML 2.0 here http://www.oio.dk/arkitektur/brugerstyring/english/saml

Status - PoC Borgerportal/Consumer side BOK opsætter i samarbejde med NNIT et PoC miljø med udgangspunkt i Borger.dk Identity Provider (IdP) Taskforce en og ITST forventer at opstille IdP til PoC Dialog med Skat Aftaler: Serviceproviders + EBST Rødovre Kommune Sundhed.dk/IBM KMD Færdselsstyrelsen/IBM+CSC

Gem fig

Hvad skal der til for at Service- Providerne kan modtage SAML-beskeder Overholde conformance-krav og profiler, som vist på sidste 24 timer Hertil er der principielt mindst 4 muligheder 1. Eje/Anskaffe en integreret identity management suite - som også har federation-funktionalitet 2. Købe/Leje en dedikeret adapter som kan modtage SAML og integrere med bestående systemer 3. Bruge en Open Source løsning 4. Købe funktionaliteten tete som en service Til PoC en må det være oplagt at spørge SWleverandør om man ikke vil stille SW som kan dække punkt 1 eller 2 til rådighed i PoCperioden

Hvis man på ålængere sigt vil llave en roll-your-own er der flere open source muligheder Og nu er der godt overblik over dem på openliberty.org InfoWorld - Portal aids development of identity-based apps OpenLiberty offers tools, libraries to build apps using Web services standards endorsed by Liberty Alliance http://www.infoworld.com/article/07/01/23/hnidentityappsportal_1.

SAML2 and ID-WSF together ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke services at the WSPs on Jane s behalf.. SAML2: The SP uses SAML2 to obtain the identity credential for Jane. SP/WSC WSP WSP ID-WSF SAML2 IdP DS WS-SX

ID-WSF New Concepts Web Services Client (WSC): typically, the invoker/consumer of an identity-based service Web Services Provider (WSP): typically, the provider of an identity-based service Data Services Template (DST): provides an extensible framework to produce new Identity-based Services above the protocol stack, allowing interoperability e.g.: ID-Personal Profile and ID-Employee Profile Discovery Service (DS): Facilitates the registration and subsequent discovery of Identity-based services Interaction Service (IS): allows WSPs to obtain authorizations and information directly from users. Authentication Service (AS): Authenticates Principles and provides appropriate credentials for accessing ID-WSF systems (analogous to IdP in ID-FF).

En Serviceprovider Skal kunne håndtere service-provider-delen af Dansk SAML SSO profil Som findes i udkast på www.oio.dk/arkitektur/brugerstyring Herunder skal serviceprovide etablere en sikker forbindelse til Login-servicen Skal overholdes SAML 2.0 Conformance requirements til Service Provider eller Service Provider Lite En lang række kommercielle produkter er certificeret t til at overholde disse conformance requirement Derudover er der en række open source biblioteker og implementeringer, som støtter SAML 2.0 OpenSAML, LABAN, OpenSSO,

Den taktiske udfordring

Danish public sector shared service requirements for maintaining integrity of users identity in a gateway scenario Loginservice (IdP) Attribute Service SAML 2.0 Service Provider - Citizen - Private employee - Public employee Login Web or Local network SAML 2.0 Cert Auth Existing pin-codes uid/pw SAML 2.0 Gateway WS-FED token SAML 2.0 token - Public employee Login WS-federation w/ SAML 1.1.token Service Provider The desired gateway should allow service requesters to enter the federation using the WS-Federation specification and then convert the WS-Federation supplied token (presumably a SAML 1.1 token as user attributes also should be transferred) to a SAML 2.0 token Service Provider

Danish public sector shared service requirements for maintaining integrity of users identity in a gateway scenario requires High confidence in asserted identity's validity Loginservice (IdP) Attribute Service SAML 2.0 Service Provider - Citizen - Private employee - Public employee Login Web or Local network Cert Auth Existing pin-codes uid/pw SAML 2.0 SAML 2.0 requires Some confidence in asserted identity's validity L i Gateway - Public employee Login WS-federation w/ SAML 1.1.token Service Provider requires High confidence in asserted identity's validity The issue for the gateway scenario is when the service provider requires High confidence in asserted identity's validity. This requires the assertion to be signed at the point of origin. However, even if WS-Federation allows for signing the SAML 1.1 token this signature cannot be maintained when being converted to a SAML 2.0 token Service Provider

Den strategiske udfordring

ID-WSF og WS-SX kan ikke samvirke SAML2: The SP uses SAML2 to obtain the identity credential for Jane. ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke services at the WSPs on Jane s behalf.. SP/WSC WSP WSP ID-WSF SAML2 IdP DS WS-SX

Behov: ID-WSF og WS-SX kan samvirke SAML2: The SP uses SAML2 to obtain the identity credential for Jane. ID-WSF: The SP (acting as a WSC) uses IF-WSF to invoke services at the WSPs on Jane s behalf.. SP/WSC WSP WSP ID-WSF SAML2 IdP DS WS-SX

Der er behov for N-tier authentication Figur er lånt fra præsentation om Shibboleth-WS vs. WS-Shibboleth vs. SAML 2.0 SSO with Constrained Delegation by Francisco Pinto and Christian Fernau, 14 november 2005

N-tier authentication Nuværende SAML-profiler dækker til og med 2-tier Figur er lånt fra præsentation om Shibboleth-WS vs. WS-Shibboleth vs. SAML 2.0 SSO with Constrained Delegation by Francisco Pinto and Christian Fernau, 14 november 2005

Niveauer for autenticitetssikring Niveau 1 - Lille eller ingen tiltro til påståede identitet Niveau 2 - Nogen tiltro til påståede identitet Niveau 3 - Høj tillid til påståede identitet Niveau 4 - Meget høj tillid til påståede identitet t Anbefalet niveau bestemmes ud fra vurdering af risici = hvilke konsekvenser, der kan forekomme ved fejl og sandsynligheden herfor

Til hvert niveau er der tekniske k foranstaltninger, fx Niveau 1 fx Ingenting, Cookies Lille eller ingen tiltro til påståede identitet Niveau 2 fx Brugernavn/kodeord d Nogen tiltro til påståede identitet Niveau 3 fx Digital Signatur Høj tillid til påståede identitet Niveau 4 fx Flerfaktor tokens, Biometriske løsninger,.. Meget høj tillid til påståede identitet Vejledningen dækker ikke anbefalinger om konkrete teknologier. Der henvises til Electronic Authentication Guideline fra NIST Hvilke tekniske foranstaltninger der passer til hvert niveau kan revurderes med mellemrum UDEN at der er behov for nogen risiko/forretnings-mæssige vurdering af eksisterende løsninger. De bestemte niveauer for autenticitetsikring er stadig valide.