Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

13 Austrian Gov AAA_v2

advertisement 
26. Februar 2014
Authentication, Authorisation,
Accounting
Experience and Status – Austria - Overview
Authentication, Authorization and
Accounting – Austria
Governmental AA(A) Systems in Austria
• Citizen to Government (C2G)
Austrian Citizen Card (eID) / MOA
Authentication /Authorisation
• Business to Government (B2G)
Unternehmesseriveportal (Portal for business company services)
Authentication / Authorisation
• Government to Government (G2G)
Austrian Portal Federation (Portalverbund)
Authentication / Authorisation / Accounting
G2G experiences are the main focus of this presentation.
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
17-18 March 2014
Authentication, Authorisation,
Accounting
Citizen to Government Use Cases
Authentication, Authorization and
Accounting – Austria
C2G / Austrian Citizen Card / MOA-ID* (STORK)
• Established chip-card and mobile TAN
(2 factor system using phones) authentication system
• User numbers increase permanently
• Integrated in the STORK project
• Social Security Card (and others) can be used as chip-card
* MOA is the name of the Austrian open source software for
the national e-ID solution. MOA-ID is responsible for
authentication. (MOA… Modules for Online Applications)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
C2G Authorisation (MOA-VV)
(german: “Vollmachten und Vertretungen” means about “Service for
electronic letters of attorney””)
In C2B e-government system authorisation in concrete is mainly the
process that one citizen allows someone else to act on behalf of
him/her.
The first technical approach was to store proxy authorisations directly
on the card. Because of technical and practical problems (e.g. that
most citizen prefer the mobile phone solution not the chip card,
requiring special hardware) we shifted to a server based solution.
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Current Status / Authorisation C2G
• There is a service from the Austrian data protection authority
to create electronic letters of attorney.
• Currently the service is not used very much and only few
services are supporting the usage electronic letters of
attorney.
• We are working currently on converting authentication
information from the C2G authorisation in the format used for
G2G use cases (PVP), to make it more easy for services to
support electronic letters of attorney.
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
17-18 March 2014
Authentication, Authorisation,
Accounting
Business to Government Use Cases
Authentication, Authorization and
Accounting – Austria
Unternehmensserviceportal / Authentication and
Authorisation Infrastructure for cooperations
2010 a central E-Government AA infrastructure for all companies
was introduced. (USP – UnternemensServicePortal)
For authentication the Austrian Citizen Card is used and a
username/password system, used also before from the ministry
for finance for the E-Taxation System. (Finanz Online)
Some services (e.g. register of lobbyists) are available only with
the Austrian Citizen Card (chip card or mobile TAN)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Unternehmensserviceportal / Authentication and
Authorisation Infrastructure for cooperations
Authorisation in this use case means, that a company decides,
which member of staff may/should use which e-government
Service.
An important challenge is to set up the processes for the
authorisation management within the companies.
An other main challenge was to create an register for all
companies.
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
17-18 March 2014
Authentication, Authorisation,
Accounting
Government to Government Use Cases
DI Wolfgang Tinkl, Peter Pichler
Authentication, Authorization and
Accounting – Austria
Austria is a really federal republic
9 Austrian Federal States with their own legislation
Peter Pichler, DI Wolfgang Tinkl
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Austria is a really federal republic
• 118 political districts
Peter Pichler, DI Wolfgang Tinkl
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Austria is a really federal republic
• > 2000 communities with own local authority
Peter Pichler, DI Wolfgang Tinkl
26. Februar 2014
Authentication, Authorization and
Accounting – Austria
A lot of governmental and government near agencies with
different responsibilities
• Ministries, Federal State Governments, Courts, ….
• Special Topic Agency (statistic, environment protection,
financial auditing, food safety, drug studies, calibration and
measurement, water protection, IT Services,…)
• Governmental Insurance Agencies
• Compulsory interest groups for business cooperation,
employees, farmers, advocates,...
• a.s.o.
Peter Pichler, DI Wolfgang Tinkl
26. Februar 2014
Authentication, Authorization and
Accounting – Austria
Challenges for Governmental IT Services in Government
To Government Use Cases (G2G)
Organisation B
Service A2
Service C1
Organisation C
Service A1
Organisation A
Service B1
DI Wolfgang Tinkl, Peter Pichler
Different Organisations
use and/or provide
services
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Challenges for Governmental IT Services in Government
To Government Use Cases (G2G)
Organisation B
Service A2
Service C1
Organisation C
Service A1
Organisation A
Implement AAA within the
service?
Service B1
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Challenges for Governmental IT Services in Government
To Government Use Cases (G2G)
Organisation B
Service A2
Service C1
Organisation C
Service A1
Organisation A
Service B1
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Challenges for Governmental IT Services (G2G)
• Authorisation Management
Not a person has the right to use a G2G service, but the organisation
he/she is working for. The agency delegates this rights to staff need
the service, because of the scope of their duties. If responsibilities
within the organisation are changed, also authorisation have to be
adapted
• Credential management
Password, certificate and chip-card Management
• Account and Identity Management
Account registration needs a solid identification, much more easy if the user
requiring the account is physical present (passport check)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Austrian Solution – Federation of Governmental
Organisations
IdPs, Authorisation
Profiles for foreign
organisations
AAA Data
Store
User
PVP (Protocol)
System-User
Identity Provider (IdP)
User Home Organisation
§
PVV
Service
Service Provider(SP) Implementation
Organisation providing a Service
TRUST
SPs can trust AAA info from federation members because of a multilateral
contract between the participating organisations
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Austrian Solution – Federation
• Organisations want to access services from other Organisations use an
Identity-Provider (User-Portal*). They can use an own infrastructure or can
use shared infrastructure.
• Access rights for all governmental applications are managed by the home
organisation of the user.
• Organisations providing services have Service Providers (Application
Portals*).
• A multilateral contract between all participants allows Service Providers to
trust the authentication, the authorisation and accounting information passed
to them from IdPs of the federation. (German: “Portalverbund Vereinbarung”,
about “Portal Federation Agreement”)
* before integrating SAML2, we used the term “User Portal” for Identity Provider (IdP) and
“Application Portal” for Service-Provides(SP)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
2001
2003
2005
2007
DI Wolfgang Tinkl, Peter Pichler
2010
Standard-Portal 2.0
PVP (technologie)
> 600 000 registered users
> 600 not federated services
PVP 2,0 (+ SAML2 WebSSO)
Usage 2010:
PVV (G2G)
> 130 000 registered users
> 400 services
Standard-Portal 1.0
(common software)
PVV 1.0 (multilateral agreement)
PVP 1.5 (technical protocol)
BM.I Gateway Protocol
Central Residence
Register
2013
2015
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
History, Timeline (-2005)
•
•
•
•
A important driver creating an Austrian governmental AAA infrastructure
was the launch of the computer based Central Residence Register.
Predecessor of the technical protocol was a protocol of the ministry of the
interior. (BM.I Gateway Protocol).
2002 the first common specification of the technical protocol was specified
(PVP 1.4.1 and 1.5) and the multilateral contract (PVV 1.0 valid till now)
allowing participants to trust each others and defining rights and obligations
of Identity-Providers and Service-Providers.
2004 many participants decided to make a common software for the
Austrian Portal Federation. The PVP Standardportal, developed by the
ministry of the interior and the LFRZ (IT company under the control of the
ministry for agriculture)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
History, Timeline (2005-2010)
• Till 2010 the federation is established. All ministries, federal state
administrations, local community administrations (>2000) can
access services of the federation. Many special topic organisations
have also access to the federation and/or provide services. Also
internal applications are developed using the common AAA
standards. The federated portal technologies are used also for
organisation internal citizen portals.
• Already 2010 there was more than 130.000 registered G2G users,
more than 600.000 non G2G users. Millions of transactions are
handed every day. (e.g. Ministry of the interior: 2 Mio.
Transactions/day)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
History, Timeline (2010-now)
• From 2010 on the responsible specification group developed
Version 2.0 of the PVP protocol, to create a PVP variant based on
the Web-Single-Sign-On Profile of SAML 2 and the eGovernment
Profile of the Kantara Initiative. (PVP2 S(AML)-Profile)
• From 2012 to 2014 the Standardportal was extended to support
PVP 2.
• Currently we work on bringing PVP2 to productive systems and on
building up central services required for an SAML Federation (e.g.
central SAML metadata services)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Technology – PVP R-Profile – Austrian Standard
HTTP / SOAP over HTTP
X509
X509
User
System-User
Identity Provider (IdP)
Service
Service Provider(SP) Implementation
Identity Provides act as non transparent reverse proxy. (every HTTP
request is passed over IdP and SP; non-transparent means that portals
have own DNS names)
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Technology – PVP R-Profile – Austrian Standard
• IdPs and SPs act as non transparent reverse proxy. (every
HTTPS request is passed over IdP and SP; non-transparent
means that portals have own DNS names)
• SPs are authenticate the foreign IdP and trust them (limited
by trust-profiles describing maximal authorisations of a foreign
organisations).
• Authentication between IdP and SP is made mainly using
certificates for the https trafic.
• Authentication and authorisation information is transported
using HTTP Headers with each request
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Technology – S Profil – PVP using the SAML2 Web SSO
Profile
authenticate
IdP
use service
SP
DI Wolfgang Tinkl, Peter Pichler
In the PVP2 S-Profile users are
accessing the service directly.
When a service needs to
authenticate a user, it passes the
control over the browser of the user
to the IdP. (after asking user, which
IdP should be used = IdP Discovery)
After authentication the IdP sends an
SAML response to the SP – and
gives back control over the browser.
Messages are signed using XML
signatures, to ensure they are
originated by a member of the
federation.
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Technology: Handling different protocols and profiles
Protocol-Bridge
Foreign IDP
PVP R-Profil
(PVP 1.8 - 2.x)
PVP S-Profil (PVP
2.x)
AWP /
R-Profil-SP
SAML 2.0 SP
Portal software converts different protocols and profiles.
Services need not be updated, e.g. for the introduction of Version 2.0.
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Usage of the Austrian Governmental Portal Federation in
the INSPIRE Implementation
Several organisations using a common platform for INSPIRE
service from LFRZ.
The administrative user interfaces (e.g. to bring in new INSPIRE
metadata) are accessible using the PVP federation technologies.
Central
INSPIRE services
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Current use and ideas concerning INSPIRE
• Used in applications around the INSPIRE services
– Service and Metadata Editor
– Administration GUI
– eCommerce GUIs
• Building up a central e-commerce platform for governmental
with costs. (e.g. GIS data, but also for other services)
• Using PVP as technical protocol between this payment
platform and services
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Used Images
Source: Wikipedia;
Licence: Creative Commons
Logos of the Austrian E-ID solution
Source: buergerkarte.at
Logo Central Residence Register; Austrian Ministry of
the Interior
The Austrian Social Security Card
Source: http://www.chipkarte.at
Logo of the Austrian Governmental B2G Portal
Source: https://www.usp.gv.at
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Used Images
Maps from the Austrian Statistics Agency (Statistik Austria)
Sources:
http://www.statistik.gv.at/web_de/klassifikationen/regionale
_gliederungen/gemeinden/index.html
http://www.statistik.gv.at/web_de/klassifikationen/regionale
_gliederungen/politische_bezirke/index.html
http://www.statistik.gv.at/web_de/klassifikationen/regionale
_gliederungen/gemeinden/index.html
LFRZ Images
LFRZ GmBH has the using rights and allows using them in
the context of this presentation
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Authentication, Authorization and
Accounting – Austria
Autors
Peter Pichler
Authentication, Authorisation, Accounting
pvp@peterpichler.at; peter.pichler@lfrz.at
DI Wolfgang Tinkl
Geographical information systems, INSPIRE
wolfgang.tinkl@lfrz.at
DI Wolfgang Tinkl, Peter Pichler
17-18 March 2014
Related documents
CV Peter Loeschl
CV Peter Loeschl
Table for control objective DS5
Table for control objective DS5
CS 2813 - Loyola College
CS 2813 - Loyola College
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
Chapter 11 HW
Chapter 11 HW
Chapter 1:
Chapter 1:
MTA - Lehrstuhl für Pharmazeutische Biologie
MTA - Lehrstuhl für Pharmazeutische Biologie
Download
advertisement