Authentication, Authorisation , Accounting
description
Transcript of Authentication, Authorisation , Accounting
26. Februar 2014
Authentication, Authorisation, AccountingExperience and Status – Austria - Overview
Authentication, Authorization and Accounting – Austria
Governmental AA(A) Systems in Austria
• Citizen to Government (C2G)Austrian Citizen Card (eID) / MOAAuthentication /Authorisation
• Business to Government (B2G)Unternehmesseriveportal (Portal for business company services)Authentication / Authorisation
• Government to Government (G2G)Austrian Portal Federation (Portalverbund)Authentication / Authorisation / Accounting
G2G experiences are the main focus of this presentation.
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorisation, Accounting
Citizen to Government Use Cases
17-18 March 2014
Authentication, Authorization and Accounting – Austria
C2G / Austrian Citizen Card / MOA-ID* (STORK)
• Established chip-card and mobile TAN (2 factor system using phones) authentication system
• User numbers increase permanently• Integrated in the STORK project• Social Security Card (and others) can be used as chip-card
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
* MOA is the name of the Austrian open source software for the national e-ID solution. MOA-ID is responsible for authentication. (MOA… Modules for Online Applications)
Authentication, Authorization and Accounting – Austria
C2G Authorisation (MOA-VV)
(german: “Vollmachten und Vertretungen” means about “Service for electronic letters of attorney””)
In C2B e-government system authorisation in concrete is mainly the process that one citizen allows someone else to act on behalf of him/her.
The first technical approach was to store proxy authorisations directly on the card. Because of technical and practical problems (e.g. that most citizen prefer the mobile phone solution not the chip card, requiring special hardware) we shifted to a server based solution.
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
Current Status / Authorisation C2G
• There is a service from the Austrian data protection authority to create electronic letters of attorney.
• Currently the service is not used very much and only few services are supporting the usage electronic letters of attorney.
• We are working currently on converting authentication information from the C2G authorisation in the format used for G2G use cases (PVP), to make it more easy for services to support electronic letters of attorney.
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorisation, Accounting
Business to Government Use Cases
17-18 March 2014
Authentication, Authorization and Accounting – Austria
Unternehmensserviceportal / Authentication and Authorisation Infrastructure for cooperations
2010 a central E-Government AA infrastructure for all companies was introduced. (USP – UnternemensServicePortal)
For authentication the Austrian Citizen Card is used and a username/password system, used also before from the ministry for finance for the E-Taxation System. (Finanz Online)
Some services (e.g. register of lobbyists) are available only with the Austrian Citizen Card (chip card or mobile TAN)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
Unternehmensserviceportal / Authentication and Authorisation Infrastructure for cooperations
Authorisation in this use case means, that a company decides, which member of staff may/should use which e-government Service.
An important challenge is to set up the processes for the authorisation management within the companies.
An other main challenge was to create an register for all companies.
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorisation, Accounting
Government to Government Use Cases
17-18 March 2014
DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
Austria is a really federal republic
9 Austrian Federal States with their own legislation
17-18 March 2014Peter Pichler, DI Wolfgang Tinkl
Authentication, Authorization and Accounting – Austria
Austria is a really federal republic
• 118 political districts17-18 March 2014Peter Pichler, DI Wolfgang Tinkl
Authentication, Authorization and Accounting – Austria
Austria is a really federal republic
• > 2000 communities with own local authority26. Februar 2014Peter Pichler, DI Wolfgang Tinkl
Authentication, Authorization and Accounting – Austria
A lot of governmental and government near agencies with different responsibilities
• Ministries, Federal State Governments, Courts, ….• Special Topic Agency (statistic, environment protection,
financial auditing, food safety, drug studies, calibration and measurement, water protection, IT Services,…)
• Governmental Insurance Agencies• Compulsory interest groups for business cooperation,
employees, farmers, advocates,...• a.s.o.
26. Februar 2014Peter Pichler, DI Wolfgang Tinkl
Authentication, Authorization and Accounting – Austria
Challenges for Governmental IT Services in Government To Government Use Cases (G2G)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Organisation AOrganisation C
Organisation B
Service A1
Service A2
Service B1
Service C1
Different Organisations use and/or provide
services
Authentication, Authorization and Accounting – Austria
Challenges for Governmental IT Services in Government To Government Use Cases (G2G)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Organisation AOrganisation C
Organisation B
Service A1
Service A2
Service B1
Service C1
Implement AAA within the service?
Authentication, Authorization and Accounting – Austria
Challenges for Governmental IT Services in Government To Government Use Cases (G2G)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Organisation AOrganisation C
Organisation B
Service A1
Service A2
Service B1
Service C1
Managing user and rights separately for each service is not manageable in a
secure way!
Authentication, Authorization and Accounting – Austria
• Authorisation ManagementNot a person has the right to use a G2G service, but the organisation he/she is working for. The agency delegates this rights to staff need the service, because of the scope of their duties. If responsibilities within the organisation are changed, also authorisation have to be adapted• Credential managementPassword, certificate and chip-card Management• Account and Identity ManagementAccount registration needs a solid identification, much more easy if the user requiring the account is physical present (passport check)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Challenges for Governmental IT Services (G2G)
Authentication, Authorization and Accounting – Austria
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Austrian Solution – Federation of Governmental Organisations
User
System-User
AAA Data Store
Identity Provider (IdP) Service Provider(SP)Service
Implementation
IdPs, Authorisation Profiles for foreign organisations
User Home Organisation Organisation providing a Service
PVP (Protocol)
SPs can trust AAA info from federation members because of a multilateral contract between the participating organisations
TRUST
§PVV
Authentication, Authorization and Accounting – Austria
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Austrian Solution – Federation
• Organisations want to access services from other Organisations use an Identity-Provider (User-Portal*). They can use an own infrastructure or can use shared infrastructure.
• Access rights for all governmental applications are managed by the home organisation of the user.
• Organisations providing services have Service Providers (Application Portals*).
• A multilateral contract between all participants allows Service Providers to trust the authentication, the authorisation and accounting information passed to them from IdPs of the federation. (German: “Portalverbund Vereinbarung”, about “Portal Federation Agreement”)
* before integrating SAML2, we used the term “User Portal” for Identity Provider (IdP) and “Application Portal” for Service-Provides(SP)
Authentication, Authorization and Accounting – Austria
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Central ResidenceRegister
BM
.I G
atew
ay P
roto
col
PV
P 1
.5 (t
echn
ical
pro
toco
l)
PV
V 1
.0 (m
ultil
ater
al a
gree
men
t)
Sta
ndar
d-P
orta
l 1.0
(com
mon
sof
twar
e)
Usage 2010: PVV (G2G)> 130 000 registered users> 400 services
PVP (technologie)> 600 000 registered users> 600 not federated services
PV
P 2
,0 (+
SA
ML2
Web
SS
O)
Sta
ndar
d-P
orta
l 2.0
2001 2003 2005 20102007 2013 2015
Authentication, Authorization and Accounting – Austria
History, Timeline (-2005)
• A important driver creating an Austrian governmental AAA infrastructure was the launch of the computer based Central Residence Register.
• Predecessor of the technical protocol was a protocol of the ministry of the interior. (BM.I Gateway Protocol).
• 2002 the first common specification of the technical protocol was specified (PVP 1.4.1 and 1.5) and the multilateral contract (PVV 1.0 valid till now) allowing participants to trust each others and defining rights and obligations of Identity-Providers and Service-Providers.
• 2004 many participants decided to make a common software for the Austrian Portal Federation. The PVP Standardportal, developed by the ministry of the interior and the LFRZ (IT company under the control of the ministry for agriculture)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
History, Timeline (2005-2010)
• Till 2010 the federation is established. All ministries, federal state administrations, local community administrations (>2000) can access services of the federation. Many special topic organisations have also access to the federation and/or provide services. Also internal applications are developed using the common AAA standards. The federated portal technologies are used also for organisation internal citizen portals.
• Already 2010 there was more than 130.000 registered G2G users, more than 600.000 non G2G users. Millions of transactions are handed every day. (e.g. Ministry of the interior: 2 Mio. Transactions/day)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
History, Timeline (2010-now)
• From 2010 on the responsible specification group developed Version 2.0 of the PVP protocol, to create a PVP variant based on the Web-Single-Sign-On Profile of SAML 2 and the eGovernment Profile of the Kantara Initiative. (PVP2 S(AML)-Profile)
• From 2012 to 2014 the Standardportal was extended to support PVP 2.
• Currently we work on bringing PVP2 to productive systems and on building up central services required for an SAML Federation (e.g. central SAML metadata services)
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
Technology – PVP R-Profile – Austrian Standard
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
User
System-UserIdentity Provider (IdP) Service Provider(SP)
Service Implementation
X509
HTTP / SOAP over HTTPX509
Identity Provides act as non transparent reverse proxy. (every HTTP request is passed over IdP and SP; non-transparent means that portals have own DNS names)
Authentication, Authorization and Accounting – Austria
Technology – PVP R-Profile – Austrian Standard
• IdPs and SPs act as non transparent reverse proxy. (every HTTPS request is passed over IdP and SP; non-transparent means that portals have own DNS names)
• SPs are authenticate the foreign IdP and trust them (limited by trust-profiles describing maximal authorisations of a foreign organisations).
• Authentication between IdP and SP is made mainly using certificates for the https trafic.
• Authentication and authorisation information is transported using HTTP Headers with each request
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
Technology – S Profil – PVP using the SAML2 Web SSO Profile
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
IdP
SP
In the PVP2 S-Profile users are accessing the service directly.When a service needs to authenticate a user, it passes the control over the browser of the user to the IdP. (after asking user, which IdP should be used = IdP Discovery)After authentication the IdP sends an SAML response to the SP – and gives back control over the browser.Messages are signed using XML signatures, to ensure they are originated by a member of the federation.
authenticate
use service
Authentication, Authorization and Accounting – Austria
Technology: Handling different protocols and profiles
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
StdPortal
AWP / R-Profil-SP
PVP R-Profil (PVP 1.8 - 2.x)
SAML 2.0 SP
PVP S-Profil (PVP 2.x)
Foreign IDP
PVP
X.X
(R-P
rofil
oder
S-P
rofil)
Service Provider
Protocol-B
ridge
Identity Provider
StdPortal
Portal software converts different protocols and profiles.Services need not be updated, e.g. for the introduction of Version 2.0.
Authentication, Authorization and Accounting – Austria
Usage of the Austrian Governmental Portal Federation in the INSPIRE Implementation
Several organisations using a common platform for INSPIRE service from LFRZ.The administrative user interfaces (e.g. to bring in new INSPIRE metadata) are accessible using the PVP federation technologies.
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
CentralINSPIRE services
Authentication, Authorization and Accounting – Austria
Current use and ideas concerning INSPIRE
• Used in applications around the INSPIRE services– Service and Metadata Editor– Administration GUI– eCommerce GUIs
• Building up a central e-commerce platform for governmental with costs. (e.g. GIS data, but also for other services)
• Using PVP as technical protocol between this payment platform and services
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and Accounting – Austria
Used Images
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Source: Wikipedia; Licence: Creative Commons
Logos of the Austrian E-ID solutionSource: buergerkarte.at
The Austrian Social Security CardSource: http://www.chipkarte.at
Logo of the Austrian Governmental B2G PortalSource: https://www.usp.gv.at
Logo Central Residence Register; Austrian Ministry of the Interior
Authentication, Authorization and Accounting – Austria
Used Images
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler
Maps from the Austrian Statistics Agency (Statistik Austria)Sources: http://www.statistik.gv.at/web_de/klassifikationen/regionale_gliederungen/gemeinden/index.htmlhttp://www.statistik.gv.at/web_de/klassifikationen/regionale_gliederungen/politische_bezirke/index.htmlhttp://www.statistik.gv.at/web_de/klassifikationen/regionale_gliederungen/gemeinden/index.html
LFRZ ImagesLFRZ GmBH has the using rights and allows using them in the context of this presentation
Authentication, Authorization and Accounting – Austria
Autors
Peter Pichler Authentication, Authorisation, [email protected]; [email protected]
DI Wolfgang TinklGeographical information systems, [email protected]
17-18 March 2014DI Wolfgang Tinkl, Peter Pichler