26. Februar 2014 Authentication, Authorisation, Accounting Experience and Status – Austria - Overview.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Lousy Introduction into SWITCHaai
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
August 2004 Providing Industry-wide Security and Identity Management Solutions.
Lecture 23 Internet Authentication Applications
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
Network Identity Kai Kang 27 th October Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
C2G and B2G Authentication and Authorization in Finland Special Discussion Topic Kantara Initiative eGov Working Group Prepared by: Keith Uber Ubisecure.
Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
European Electronic Identity Practices Country Update of Austria Peter F Brown Office of the CIO, Austrian Federal Chancellery Chair, CEN eGov Focus Group.
Smart Card Single Sign On with Access Gateway Enterprise Edition
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
THE ROLE OF CIVIL REGISTRY TO ACTIVATE THE ELECTRONIC AUTHENTICATION
EGov Interop'05 - Feb 23-24, Geneva (Switzerland) OBSERVATORY ON INTEROPERABLE eGOVERNMENT SERVICES eGov-Interop'05 Annual Conference February.
SWITCHaai Team Introduction to Shibboleth.
One stop shop: e-VEM E- extension of the car registration Teja Batagelj Ministry of Public Administration.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Slide 1 Smart Cards for eGovernment and Health Insurance - Status in Austria.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Payment Gateways for e-Government services 24 May 2007
Statistisches Bundesamt eSTATISTIK.core: AN XML-BASED APPROACH TO DATA COLLECTION FROM ERP SYSTEMS Joint ECE/Eurostat/OECD Meeting on the Management of.
X-Road – Estonian Interoperability Platform
PostalOne! / FAST Data Exchange - Vision 02/15/05.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Designing an E-Government Solution Jon Colombo In collaboration with Client or Partner logo.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Chief information office austria‘s citizen card conference on interoperable european electronic id april 2002, porvoo, finland.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Payment in Identity Federations David J. Lutz Universitaet Stuttgart.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
1 Israeli Government e-Payment Services David Forsher November 2009.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Training for developers of X-Road interfaces
Federation made simple
Paperless & Cashless Poland Program overview
HMA Identity Management Status
Identity Federations - Overview
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
ESA Single Sign On (SSO) and Federated Identity Management
Public Services Broker
Presentation transcript:

26. Februar 2014 Authentication, Authorisation, Accounting Experience and Status – Austria - Overview

Authentication, Authorization and Accounting – Austria Governmental AA(A) Systems in Austria Citizen to Government (C2G) Austrian Citizen Card (eID) / MOA Authentication /Authorisation Business to Government (B2G) Unternehmesseriveportal (Portal for business company services) Authentication / Authorisation Government to Government (G2G) Austrian Portal Federation (Portalverbund) Authentication / Authorisation / Accounting G2G experiences are the main focus of this presentation March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorisation, Accounting Citizen to Government Use Cases March 2014

Authentication, Authorization and Accounting – Austria C2G / Austrian Citizen Card / MOA-ID* (STORK) Established chip-card and mobile TAN (2 factor system using phones) authentication system User numbers increase permanently Integrated in the STORK project Social Security Card (and others) can be used as chip-card March 2014 DI Wolfgang Tinkl, Peter Pichler * MOA is the name of the Austrian open source software for the national e-ID solution. MOA-ID is responsible for authentication. (MOA… Modules for Online Applications)

Authentication, Authorization and Accounting – Austria C2G Authorisation (MOA-VV) (german: “Vollmachten und Vertretungen” means about “Service for electronic letters of attorney””) In C2B e-government system authorisation in concrete is mainly the process that one citizen allows someone else to act on behalf of him/her. The first technical approach was to store proxy authorisations directly on the card. Because of technical and practical problems (e.g. that most citizen prefer the mobile phone solution not the chip card, requiring special hardware) we shifted to a server based solution March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria Current Status / Authorisation C2G There is a service from the Austrian data protection authority to create electronic letters of attorney. Currently the service is not used very much and only few services are supporting the usage electronic letters of attorney. We are working currently on converting authentication information from the C2G authorisation in the format used for G2G use cases (PVP), to make it more easy for services to support electronic letters of attorney March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorisation, Accounting Business to Government Use Cases March 2014

Authentication, Authorization and Accounting – Austria Unternehmensserviceportal / Authentication and Authorisation Infrastructure for cooperations 2010 a central E-Government AA infrastructure for all companies was introduced. (USP – UnternemensServicePortal) For authentication the Austrian Citizen Card is used and a username/password system, used also before from the ministry for finance for the E-Taxation System. (Finanz Online) Some services (e.g. register of lobbyists) are available only with the Austrian Citizen Card (chip card or mobile TAN) March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria Unternehmensserviceportal / Authentication and Authorisation Infrastructure for cooperations Authorisation in this use case means, that a company decides, which member of staff may/should use which e-government Service. An important challenge is to set up the processes for the authorisation management within the companies. An other main challenge was to create an register for all companies March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorisation, Accounting Government to Government Use Cases March 2014 DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria Austria is a really federal republic 9 Austrian Federal States with their own legislation March 2014Peter Pichler, DI Wolfgang Tinkl

Authentication, Authorization and Accounting – Austria Austria is a really federal republic 118 political districts March 2014Peter Pichler, DI Wolfgang Tinkl

Authentication, Authorization and Accounting – Austria Austria is a really federal republic > 2000 communities with own local authority 26. Februar 2014Peter Pichler, DI Wolfgang Tinkl

Authentication, Authorization and Accounting – Austria A lot of governmental and government near agencies with different responsibilities Ministries, Federal State Governments, Courts, …. Special Topic Agency (statistic, environment protection, financial auditing, food safety, drug studies, calibration and measurement, water protection, IT Services,…) Governmental Insurance Agencies Compulsory interest groups for business cooperation, employees, farmers, advocates,... a.s.o. 26. Februar 2014Peter Pichler, DI Wolfgang Tinkl

Authentication, Authorization and Accounting – Austria Challenges for Governmental IT Services in Government To Government Use Cases (G2G) March 2014DI Wolfgang Tinkl, Peter Pichler Organisation A Organisation C Organisation B Service A1 Service A2 Service B1 Service C1 Different Organisations use and/or provide services

Authentication, Authorization and Accounting – Austria Challenges for Governmental IT Services in Government To Government Use Cases (G2G) March 2014DI Wolfgang Tinkl, Peter Pichler Organisation A Organisation C Organisation B Service A1 Service A2 Service B1 Service C1 Implement AAA within the service?

Authentication, Authorization and Accounting – Austria Challenges for Governmental IT Services in Government To Government Use Cases (G2G) March 2014DI Wolfgang Tinkl, Peter Pichler Organisation A Organisation C Organisation B Service A1 Service A2 Service B1 Service C1 Managing user and rights separately for each service is not manageable in a secure way!

Authentication, Authorization and Accounting – Austria Authorisation Management Not a person has the right to use a G2G service, but the organisation he/she is working for. The agency delegates this rights to staff need the service, because of the scope of their duties. If responsibilities within the organisation are changed, also authorisation have to be adapted Credential management Password, certificate and chip-card Management Account and Identity Management Account registration needs a solid identification, much more easy if the user requiring the account is physical present (passport check) March 2014DI Wolfgang Tinkl, Peter Pichler Challenges for Governmental IT Services (G2G)

Authentication, Authorization and Accounting – Austria March 2014DI Wolfgang Tinkl, Peter Pichler Austrian Solution – Federation of Governmental Organisations User System-User AAA Data Store Identity Provider (IdP) Service Provider(SP) Service Implementation IdPs, Authorisation Profiles for foreign organisations User Home Organisation Organisation providing a Service PVP (Protocol) SPs can trust AAA info from federation members because of a multilateral contract between the participating organisations TRUST § PVV

Authentication, Authorization and Accounting – Austria March 2014DI Wolfgang Tinkl, Peter Pichler Austrian Solution – Federation Organisations want to access services from other Organisations use an Identity-Provider (User-Portal*). They can use an own infrastructure or can use shared infrastructure. Access rights for all governmental applications are managed by the home organisation of the user. Organisations providing services have Service Providers (Application Portals*). A multilateral contract between all participants allows Service Providers to trust the authentication, the authorisation and accounting information passed to them from IdPs of the federation. (German: “Portalverbund Vereinbarung”, about “Portal Federation Agreement”) * before integrating SAML2, we used the term “User Portal” for Identity Provider (IdP) and “Application Portal” for Service-Provides(SP)

Authentication, Authorization and Accounting – Austria March 2014DI Wolfgang Tinkl, Peter Pichler Central Residence Register BM.I Gateway Protocol PVP 1.5 (technical protocol) PVV 1.0 (multilateral agreement)Standard-Portal 1.0 (common software) Usage 2010: PVV (G2G) > registered users > 400 services PVP (technologie) > registered users > 600 not federated services PVP 2,0 (+ SAML2 WebSSO) Standard-Portal

Authentication, Authorization and Accounting – Austria History, Timeline (-2005) A important driver creating an Austrian governmental AAA infrastructure was the launch of the computer based Central Residence Register. Predecessor of the technical protocol was a protocol of the ministry of the interior. (BM.I Gateway Protocol) the first common specification of the technical protocol was specified (PVP and 1.5) and the multilateral contract (PVV 1.0 valid till now) allowing participants to trust each others and defining rights and obligations of Identity-Providers and Service-Providers many participants decided to make a common software for the Austrian Portal Federation. The PVP Standardportal, developed by the ministry of the interior and the LFRZ (IT company under the control of the ministry for agriculture) March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria History, Timeline ( ) Till 2010 the federation is established. All ministries, federal state administrations, local community administrations (>2000) can access services of the federation. Many special topic organisations have also access to the federation and/or provide services. Also internal applications are developed using the common AAA standards. The federated portal technologies are used also for organisation internal citizen portals. Already 2010 there was more than registered G2G users, more than non G2G users. Millions of transactions are handed every day. (e.g. Ministry of the interior: 2 Mio. Transactions/day) March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria History, Timeline (2010-now) From 2010 on the responsible specification group developed Version 2.0 of the PVP protocol, to create a PVP variant based on the Web-Single-Sign-On Profile of SAML 2 and the eGovernment Profile of the Kantara Initiative. (PVP2 S(AML)-Profile) From 2012 to 2014 the Standardportal was extended to support PVP 2. Currently we work on bringing PVP2 to productive systems and on building up central services required for an SAML Federation (e.g. central SAML metadata services) March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria Technology – PVP R-Profile – Austrian Standard March 2014DI Wolfgang Tinkl, Peter Pichler User System-User Identity Provider (IdP) Service Provider(SP) Service Implementation X509 HTTP / SOAP over HTTP X509 Identity Provides act as non transparent reverse proxy. (every HTTP request is passed over IdP and SP; non-transparent means that portals have own DNS names)

Authentication, Authorization and Accounting – Austria Technology – PVP R-Profile – Austrian Standard IdPs and SPs act as non transparent reverse proxy. (every HTTPS request is passed over IdP and SP; non-transparent means that portals have own DNS names) SPs are authenticate the foreign IdP and trust them (limited by trust-profiles describing maximal authorisations of a foreign organisations). Authentication between IdP and SP is made mainly using certificates for the https trafic. Authentication and authorisation information is transported using HTTP Headers with each request March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria Technology – S Profil – PVP using the SAML2 Web SSO Profile March 2014DI Wolfgang Tinkl, Peter Pichler IdP SP In the PVP2 S-Profile users are accessing the service directly. When a service needs to authenticate a user, it passes the control over the browser of the user to the IdP. (after asking user, which IdP should be used = IdP Discovery) After authentication the IdP sends an SAML response to the SP – and gives back control over the browser. Messages are signed using XML signatures, to ensure they are originated by a member of the federation. authenticate use service

Authentication, Authorization and Accounting – Austria Technology: Handling different protocols and profiles March 2014DI Wolfgang Tinkl, Peter Pichler StdPortal AWP / R-Profil-SP PVP R-Profil (PVP x) SAML 2.0 SP PVP S-Profil (PVP 2.x) Foreign IDP PVP X.X (R-Profil oder S-Profil) Service Provider Protocol-Bridge Identity Provider StdPortal Portal software converts different protocols and profiles. Services need not be updated, e.g. for the introduction of Version 2.0.

Authentication, Authorization and Accounting – Austria Usage of the Austrian Governmental Portal Federation in the INSPIRE Implementation Several organisations using a common platform for INSPIRE service from LFRZ. The administrative user interfaces (e.g. to bring in new INSPIRE metadata) are accessible using the PVP federation technologies March 2014DI Wolfgang Tinkl, Peter Pichler Central INSPIRE services

Authentication, Authorization and Accounting – Austria Current use and ideas concerning INSPIRE Used in applications around the INSPIRE services –Service and Metadata Editor –Administration GUI –eCommerce GUIs Building up a central e-commerce platform for governmental with costs. (e.g. GIS data, but also for other services) Using PVP as technical protocol between this payment platform and services March 2014DI Wolfgang Tinkl, Peter Pichler

Authentication, Authorization and Accounting – Austria Used Images March 2014DI Wolfgang Tinkl, Peter Pichler Source: Wikipedia; Licence: Creative Commons Logos of the Austrian E-ID solution Source: buergerkarte.at The Austrian Social Security Card Source: Logo of the Austrian Governmental B2G Portal Source: Logo Central Residence Register; Austrian Ministry of the Interior

Authentication, Authorization and Accounting – Austria Used Images March 2014DI Wolfgang Tinkl, Peter Pichler Maps from the Austrian Statistics Agency (Statistik Austria) Sources: _gliederungen/gemeinden/index.html _gliederungen/gemeinden/index.html _gliederungen/politische_bezirke/index.html _gliederungen/gemeinden/index.html LFRZ Images LFRZ GmBH has the using rights and allows using them in the context of this presentation

Authentication, Authorization and Accounting – Austria Autors Peter Pichler Authentication, Authorisation, Accounting DI Wolfgang Tinkl Geographical information systems, INSPIRE March 2014DI Wolfgang Tinkl, Peter Pichler

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.