Creating a European entity Management Architecture for eGovernment
Id
www.guide-project.org
GUIDEKeiron SaltKeiron Salt
[email protected]@bt.com
What is GUIDE ?
GUIDE (Government User Identity for Europe) is an European Union funded research project conducting research and technological development with the aim of creating a technological, institutional, policy and socio-economic architecture for secure and interoperable e-government electronic identity services and transactions for Europe.
Road of GUIDE and EU
2004: Lisbon Agenda
2006: Manchester ‘2010 Declaration’
Encourage Free Movement of Citizens, Capital and Services across the EU to encourage the Internal Market
Pan-European Identity Interoperability
GUIDE ArchitectureSummary
ObjectiveCreating an open architecture for Pan-European e-government electronic identity interoperability
To enable Member States to agree on the identity of an entity (for example a citizen or a business)
In order to enable eGovernment sectoral applications to conduct cross-border transactions with respect to that entity
The GUIDE architecture aligns with, leverages, and exploits both of• The IDABC European Interoperability Framework(EIF) architecture• Emerging International Standards for Federated Identity Management
The Motivation ‘View’ - What are the Business Problems we’re trying to solve? - Getting the Scope right.
Is About• Identity data interoperability• Authentication• Cross border services• Standards adoption• Standards specification
Is Not About• Storing Identity data will in GUIDE• Application data interoperability• Authorisation• Internal MS services• Re-inventing• Implementation
• Guide delivers identity interoperability across the Member States of the EU.
• Guide is not an end in itself, but a key enabler for Application inter- operability to enable the Lisbon Initiatives which deliver the real benefits.
• Guide aims to enable uninhibited movement and seamless government engagement for citizens & businesses across the EU.
Guide positioning with other EU Initiatives
IDABC – Generic middleware, Network
Guide – Identity Interoperability
eID – Smart card standards, & Issue
Pri
me
– P
riva
cy E
nh
ance
men
t
PKI – Certificate Management
Schengen EBReTEN20 eGOVApps
Applications
Front-EndEnrolment, etc
Back-EndInteroperability
IDABC Architecture alignment
Guide & EIF / IDABC Synergy
IDABC PEGS Architecture – CGEY
GUIDE Topology
MS1Cross Domain
MS3Cross Domain
MS2Provider Hub
MS4Provider Hub
MS5Provider Hub
Application Service Provider
Sub-national Identity Provider Hub
National Identity Provider Hub
EU Identity Federation
National Identity Federation
EU Identity Provider HubIdentity Provider
Hub
Subsidiarity v Standardisation
IdentityProvider
ServiceConsumer
ServiceProvider
UNIFORMFIM
MODEL
FIM Standard Modelsexpect all actors to fallunder the same model
GUIDE acknowledgesthat MS can utilisedifferent FIM models
UNIFORMFIM
MODEL
GuideGW
GuideGW
GuideGW
IdentityProvider
LIBERTY
ServiceConsumer
SHIBOLETH
ServiceProvider
WS-FEDERATION
Uniform FIM Guide FIM
Gateways must act as Proxies for the Real actors
Pan EU Citizen Authentication Scenarios
Applications
Identity Providers
Access Channels
Member State 2
Applications
Identity Providers
Access Channels
Citizen from Member State1
CivilServant
CivilServant
1 2 3
1
2
3
Citizen present, and logging on to foreign system as a user (SSO)
Citizen present, but user is a foreign Civil Servant
Citizen not present, administrative trigger – eg. receipt of E101 form
SAML & Liberty Alliance Profiles
Member State 1
GUIDE gateway
GUIDE gateway
GUIDE Software Agent - Logical Component Architecture
GUIDERequest Handler
GU
IDE
SA
ML
P
rofi
le In
terf
ace
Tra
nsf
orm
atio
n
Ser
vice
s
GUIDEInteraction Service
GUIDEDiscovery ServiceGU
IDE
Lib
erty
P
rofi
le In
terf
ace
Tra
nsf
orm
atio
n
Ser
vice
s
GUIDE Software Agent
Member StateInterface
GUIDESAML Interface
GUIDELiberty Interface
Main GUIDE Core Services
Logical Process Flow
IdentificationAuthenticationAssertions Attribute Provision
Interaction Discovery Identity Requests
Transformation ServicesInfrastructure Services
Trust ServicesSecurity, Assurance, Privacy
Redirection ConsentUsage Directives
UpdateLookup
Service Profiles & Protocol Bindings
Guide Abstract Service Model
http
IDABC eLink Binding?
Liberty ID-WSF V2.0
Authentication Mechanism Authentication Realm Authentication Context
Guide Profile of Liberty Specs
Guide Mechanisms Guide Realms Guide Assurance Levels
SAML v2.0
Shiboleth WS-Federation
SOAP
Guide Liberty Profile for Discovery
<soap: Body> <Query xmlns = “urn:liberty:disco:2003-08”>
<ResourceID>http://example.gov/g048HqeR4tsB</ResourceID><RequestedServiceType>
<ServiceType>urn:liberty: id-sis-pp:2003-08</ServiceType><Options>
<Option>urn:liberty:id-sis-pp:home</Option><Option>urn:liberty:id-sis-pp:informalName</Option><Option>urn:GUIDE:Realm:SocialSecurity</Option><Option>urn:GUIDE:Assurance:2</Option>
</Options><SecurityMechID> not used </SecurityMechID></RequestedServiceType>
</Query></soap: Body>
Naming standards
<Options> Profiling
Guide SAML Profile for Identification<!-- offline checking request --> <AttributeQuery
ID="AjCUk2lleGVzft1456kRp51oFvJ5k" Version="2.0" IssueInstant="2005-08-11T17:42:04Z" Destination="http://www.IP1.eu"xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:protocol http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
><!-- name of the requesting entity --> <saml:Issuer>http://www.myPEGS.eu</saml:Issuer>
<saml:Subject> <saml:NameID /> <saml:SubjectConfirmation Method="urn:guide:multiple-attributes">
<saml:SubjectConfirmationData> <xs:any>
<saml:Attribute Name="First Name"> <saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute><saml:Attribute Name="Last Name">
<saml:AttributeValue>Doe</saml:AttributeValue> </saml:Attribute><saml:Attribute Name="Birth date">
<saml:AttributeValue>14.07.1971</saml:AttributeValue> </saml:Attribute>
</xs:any></saml:SubjectConfirmationData>
</saml:SubjectConfirmation> </saml:Subject> <!-- following: list of attributes to be checked (name + value) --> <!-- omitted: methods for specifying desired attribute formats this should be provided by D1.2.7 --> <saml:Attribute Name="Language">
<saml:AttributeValue>Chinese</saml:AttributeValue> </saml:Attribute><saml:Attribute Name="Nationality">
<saml:AttributeValue>GB</saml:AttributeValue> </saml:Attribute><!--<ds:Signature>...</ds:Signature> digital signature -->
</AttributeQuery>
Naming standards
<Subject> Profiling
<Attribute> Profiling
Guide & EIF / IDABC Synergy
IDABC PEGS Architecture – CGEY
Guide Trust Model
Trust Model
Security Model Assurance Model
Governance
Policy
Accreditation
Liability
Technical Domain
Policy Domain
Privacy Model