The Management Centre for Interoperability, Cooperation and Access Infrastructure Services (CG-SICA) part 2 Workshop on ICT Service Oriented Network Architectures University of Rome La Sapienza, May 19 th 2009 Stefano Fuligni Advanced interoperabilty and application cooperation services Unit, Italian National Agency for Digital Administration (CNIPA)
Agenda The SPC model for a Federated eid management SICA services for Identity &Access Mgmt: Certification Authority Federated Identity Management Index of Persons 2
eidm models User consented eids are managed and controlled by users delegated Authorities by a "contract" No interaction Corporate intranet User controlled eid are managed and controlled by third parties under user control Possible interaction User centered eid are managed by user High interaction and flexibility Internet Web 2.0 3
Some basic concepts (from laws) C.A.D. Digital authentication: the validation of a data set assigned to a subject in a solely and unambiguous way that distiguish his identity in information systems DPCM Technical Regulation SPC (art.71 CAD) Authorisation: all activities that allow access to a service or resource to those persons who, having been identified or authenticated beforehand, possess the attributes or necessary role; identification authority: the structure that enables a person to be identified using the procedures laid down by Article 66 of the Code; authentication authority: the structure that enables a person, an electronic system, or a service to be authenticated online, as laid down by Article 1(b) of the Code; attribute and role authority: the structure that has the power to certify attributes and roles for the purposes of providing a service; 4
Access to a PA s network service (CAD art.64) CIE and CNS are tools for digital authentication It s possible to use others tools that allow to verify the subject identity (until 31/12/2009), i.e. userid+pwd, PIN, OTP, others x.509v3 certificates CIE and CNS must be accepted 5
Federated eid management Tech.Regulations SPC art.22 (1) Within the framework of the SPC, authorisation to access its services shall be based on recognition of the digital identities of the natural persons and computer systems used to provide these services. Authorisation shall fall under the responsibility of the body providing the services and may employ mutual recognition mechanisms within the framework of federated digital identity management systems, in accordance with criteria and procedures laid down by the Committee. The services available within the SPC may operate according to various digital identity management levels: services that do not require any identification or authentication; services that require online authentication by an authentication authority; services that, in the case of natural persons, require online identification by an identification authority; services that, for users, require an attestation of attributes and/or roles, which will be further qualified by duties and/or powers, together with identification. 6
Federated eid management Tech.Regulations SPC art.22 (2) Authentication within the SPC framework shall be carried out under the responsibility of the body that provides a service on the basis of a set of data assigned exclusively and solely to one person. Such authentication may also be carried out by a subject delegated to perform this task, on the basis of a service agreement. The attestation of attributes and roles within the SPC framework shall be carried out by the subject (attribute and role authority) that, on the basis of the legislation in force, has the power to attest them in order to ensure the appropriate security levels required to provide a service The attribute and role authorities shall be entered into an appropriate register, available online, subject to their signing a specific service agreement defined by the Committee, describing the security and reliability levels, as well as the standard protocols used in the attestation process. 7
Service Agreement and eidm policy specifications Common for all users (*) Interface Provider and user Specified for each service Published in SICA s registry service behaviour model (for multiple async. Inter.) Provider and user Semantic reference Link to the Schemas/ Ontologies Catalogue For any Specific user(*) Ports Ports Ports Service level Service agreement level Service agreement level agreement Security agreement Security agreement Security agreement All in XML (*) users and providers are administrations or authorized organizations 8
FIM scenario on SPC Domain Gateway Applications/ services A2A Service Agreement SPC Federated Network Central Agency SPC Federated Network SPC Federated Network Central Agency Regional Agency Regional Network Federated Single Sign On Local Agency 9
The Federated Identity Management (FIM) in SPC User-centric approach, the user choose which profile to use to access to a service Role-Based Access control (RBAC), the access to services could be based also on user roles Standard based, to garantee interoperability among administrations and SICA services by commercial solutions and products 10
SICA s services for eid mgmt Tech.Regulations SPC art.15 They also allows: to manage on a federated basis the digital identities referred to in Article 22 and the functional roles associated with such identities, in order to create a group of trusted domains among the identification, authentication and attribute and role authorities, for the exchange of mutually guaranteed authentication credentials, to be used in accessing and providing services within the framework of the SPC; to manage a meta-directory for the public administration, through the Index of Persons Service" which, by integrating the P.A. Index (RPA), offers real-time telematic access to lists relating to the staff of the Administrations participating in the SPC, the publication and updating of which shall be the responsibility of the Administrations; to manage digital certificates, associated with bodies other than natural persons (hardware equipment, services and applications) within the framework of the SPC, through the Certification Service ; 11
SPC s interoperability infrastructure services Infrastruttura per la cooperazione applicativa SICA Nationwide Interoperability infrastructure services SICA Internal services for monitoring, Servizi di managing & security Monitoraggio, Gestione e Sicurezza Interna SICA Register Registro Service SICA & Generale P.A.s Directory Servizio di Servizio di Catalog of Catalogo Schemas Schemi & e Ontologies Servizio di Meta- Directory delle of Public Employees Gestione Federate Identit à digitali Secondary Servizio di level SICA supporto alla qualificazione Register service della Porta di Dominio Certifc. Author. dei & Validation Author. Servizio di Indice Soggetti Servizio di Servizio di Certificazione supporto alla qualificazione del Servizio di Registro SICA Secondario Supporto alla qualificazione di componenti di cooperazione appli Domain gateway Qualification Support services eid Federation Mgmt Sys cativa Porta Porta di di Dominio Dominio SICA SICA SICA Domain gateway 12
SPC s interoperability infrastructure services Infrastruttura per la cooperazione applicativa SICA Nationwide Interoperability infrastructure services SICA Internal services for monitoring, Servizi di managing & security Monitoraggio, Gestione e Sicurezza Interna SICA Register Registro Service SICA & Generale P.A.s Directory Servizio di Servizio di Catalog of Catalogo Schemas Schemi & e Ontologies Servizio di Meta- Directory delle of Public Employees Gestione Federate Identit à digitali Secondary Servizio di level SICA supporto alla qualificazione Register service della Porta di Dominio Certifc. Author. & Validation Author. Servizio di Indice eid and Servizio di eid Federation Mgmt Sys dei Certificazione access Soggetti management Servizio di supporto alla qualificazione del Servizio di Registro SICA Secondario Supporto alla qualificazione di componenti di cooperazione appli Domain gateway Qualification Support services cativa Porta Porta di di Dominio Dominio SICA SICA SICA Domain gateway 13
FIM: the players Service Providers: Provides the service based on identity and roles claims from a Local Domain Authority Is responsible of service providing and authorization/audit management Use the following components: Federation GW: single point of contact of every web access requests to available resources Policy Enforcement Point (PEP): the logical entity that enforces policies for admission control and policy decisions in response to a request from a user wanting to access a service Identity Providers: manages the information about identity of the federation users Attribute Authorities: certifies the attributes that are part of the user profile 14
The SICA - FIM Profile Authority, manages the users profiles Authority Registry Service, manages the Identity Provider or Profile Authority federated list Attribute Authority Registry Service, manages the Attribute Authority federated list 15
The identity profile Authority Registry service Attribute Authority Registry service 16
Interaction supported among eid Federation members Access a local service NO application cooperation Access a remote service via web browser. User redirected to his domain for authentication (nomadic user) Use of Federation Gateway NO application cooperation Admin A Admin B Access a remote service via Web Service. User already authenticated by his local service that interoperates with remote service by application cooperation. Use of Domain Gateways Admin C 17
Federated SSO FGW Access AARS ARS Get Info Get Info 18
Interaction via Web Browser 1/2 User already authenticated by IDP 19
Interaction via Web Browser 2/2 User not yet authenticated by IDP 20
FIM: application cooperation via Web Services scenario Administration A 3 Create Assertion Administration B USE Application DG Domain Gate 4 ASK For Cooperation DG 5 Authorize AAA 6 Access Application 2 Verify Attributes 1 GET AA List ARS Get Info Authority Registry Attribute Authority AARS Attributr Auth Reg Srvs Get Info Attribute Authority Registry Profile Authority SICA Center 21
Interaction via Web Services Domain Gateway Back end services Front end service 22
Index of persons service Persons alias public employees It s the evolution of Rubrica PA, the meta-directory of central public administrations Over 950.000 persons stored at today Theese employees receive their pay-packet to email address stored in this meta-directory Could act as Local Domain Authority instead of public admin. Syncronized 23
Logical structure of rpa 24
Home page rpa 25
Index of Persons architecture overview Indice dei Soggetti <<web browser>> Accreditamento UtenteSPCoop <<usa>> UtenteSPCoop <<usa>> rpa <<usa>> AuthnManager <<web services>> <<usa>> AttributeManager <<web services>> WSS Firma del Boby request e response SAML Listener <<saml>> 26
Thank you www.cnipa.gov.it SPCoop technical documentation: http://www.cnipa.gov.it/site/it- IT/Attivit%C3%A0/Sistema_Pubblico_di_Connettivit%C3%A0_(SPC)/Servizi_i nfrastrutturali_di_interoperabilit%c3%a0,_cooperazione_ed_accesso_(sica)/ Documenti_tecnico-operativi/ fuligni@cnipa.it 27