440 likes | 676 Views
C2G and B2G Authentication and Authorization in Finland. Special Discussion Topic Kantara Initiative eGov Working Group Prepared by : Keith Uber Ubisecure Solutions Oy 31.1.2011. Agenda. Citizen Authentication Citizen Attributes Commercial Identity Providers
E N D
C2G and B2G Authentication and Authorization in Finland SpecialDiscussionTopic KantaraInitiativeeGovWorking Group Preparedby: Keith Uber Ubisecure Solutions Oy 31.1.2011
Agenda • Citizen Authentication • Citizen Attributes • Commercial IdentityProviders • Company Authentication • Company Authorization • HigherEducationsector • Authentication of Civil Servants • Questions / Discussion
Finland • 5.3 million residents • Parliamentary republic with central government • 336 local municipalities • EU member since January 1995
FinnishPersonalIdentificationNumber • National ID number • Widelyusedincorrectly for identification • Format YYMMDD?123X • Exposesbothdate of birth and gender
eID in Finland • eIDcardcontains • name • optionallyemailaddress • SATU (electronicidentificationnumber) • Notmandatory • Price 51€ • The SATU numbercanbeconverted to a personalidentitynumberthrough a webservicesquery to the populationregister
eIDStatistics • End of November 2010 • 341,800 certificatesissued to date • 272,200 currentlyvalid
PopulationRegistry • Provides Web Service interface to populationregistry data to authorizedparties (VTJKysely) • Interfaceprovides • Citizen, building and realestateinformation • Over 80 differenttypes of attributesavailable • Web serviceinterfaceauthentication at connectionlevelusingclientcertificates
Banks as Commercial IdPs for eGov • TUPAS is a jointbankspecification for electronicauthenticationby the Federation of Finnish Financial Services • Proprietoryprotocol • Usermustbestronglyauthenticated • Typically PIN/TAN list • Banks providelimitedfinancialliability • Userapproves and certifies the personal data released
Banks as Commercial IdPs • 10+ banks • Commercial service • Contractsbetween SP and eachbankrequiredincludingtypically • Establishmentfees • Monthlyfees • Transactionfees • Similarprocess to Verified By Visa etc
Telcos as Commercial IdPs for eGov • Commercial Wireless PKI (MPKI, WPKI) servicelaunched 30.11.2010 • Named ”Mobiilivarmenne” Mobile Certificate • http://www.mobiilivarmenne.fi/en/en_2.html • Supportedby 3 out of 4 national telcos • Competingwith TUPAS service • Roamingfunction - onecontractwithonetelco is enough • ETSI MSS Mobile Signature Service
Telcos as Commercial IdPs • Long history – previous studies and commercial trials commencing around 2003 to use national ID in the mobile had failed • New business model, purely commercial • Requires government-issued CA license with stringent auditing • Applicationembedded in SIM (applicationtoolkitapplication)
Telcos as Commercial IdPs • Works whileroaming (SMS based transport) • Pricing for endusers • Elisa: 0.09 per transaction (FreeuntilNov 2011) • Othertelcopricingunknown • Pricing for SP services • Unpublished • Expected adoption for C2G services in 2011
Tunnistus.fiIdentityProvider • Tunnistus meansIdentification • Jointproject of the TaxAdministration, Ministry of Employment and the Economy and the Social Insurance office • IdP Proxy service for Banks and eIDcards • JointventureconsortiumcontractsignedMarch 2003 • RFQ March 2003, Implementation 5 months • OperationalJanuary 2004
Tunnistus.fi • Web single sign-onbased on bothproprietory and SAML2 protocols • Liberty Interoperabletested • Single logout
Tunnistus.fiStatistics Chartcredit: Verohallinta, Finnishtaxadministration
Vetuma • Authentication and paymentgateway for eGov-services for citizens • OperationalJuly 2006 • Largelyused for regionalgoverment (localcouncil) services • Based on bothproprietory and SAML2 protocols • State Treasuryservice
VETUMA Statistics • Services usingauthentication (t) • 47 localgovernment • 25 governmentservices • http://www.suomi.fi/suomifi/tyohuone/yhteiset_palvelut/verkkotunnistaminen_ja_-maksaminen_vetuma/yleiset_materiaalit/vetuma_palvelun_tilanne_joulukuussa_2010/VETUMA_tilastot_3_2010.pdf
Tunnistus.fi and VETUMA federation • Twosimilarsystemscoverdifferenttargetgroupsunderdifferentgovernmentbudgetswithdifferentservicemandates • New governmentportalservicestarted in 2011 is drivingincreasedauthenticationvolume • Tunnistus.fi and VETUMA willbefederatedtogether in Q1 2011 usingdiscoverybased on the CDC approach • Stakeholdersdeveloped the eGovDeploymentProfile for Finnishpublic sector SAML2 WebSSO deployment profile. The profile is based on the KantaraeGov implementation profile 2.0 and the SAML2int.org ver 0.2 deployment profile[1].
KATSO B2G AuthN & AuthZ • Self-serviceauthentication and authorizationservice for governmente-services • Userself-registration • Roledelegation (to othersub-user) • Power of attorney (user to user, user to organization, organization to organization) • Self-servicecredential management
KATSO Roles • Differentrolegroups • Internalsystemroles • General roles • Service specificroles • Total roles: 51 Seeroledescriptions • Rolesprovidedby KARVA SAML2 AttributeAuthority • SP queriesroleinformationafterauthenticationusing SAML2 AttributeQuery
KATSO Web Services • KATSO operates a Liberty Alliance ID-WSF 2.0 WSIDP alsoenablingintegration of non-browserclients
KATSO History • Introduced 2006 • 2009: over 30 services • Top 3 • Unemploymentregistration (Tax) • Taxcardordering (Tax) • Registering as a jobseeker (Social insurance)
KATSO Statistics Chartcredit: Verohallinta, Finnishtaxadministration
KATSO • Twotypes of authentication • Strong: Katso OTP (One timepassword PIN/TAN) • Weak: PWD (Username and password) • Strongauthenticationinitialregistrationbased on bankassurance (TUPAS) orphysicalvisit
KATSO • Use of KATSO initiallylimited to consortiummembers • Legislationchangeshavepermittedwideruse • Use outside of governmentservicesstilllimitedbylegislation
Haka Federation for Education • Identity federation for highereducation • SAML2 (almost 100%) • Usedby 42 out of 43 highereducationinstitutions • Operatedby CSC • More info
Haka Federation Haka federation (operatedby CSC) Universities Service Providers Uni1 Libraryservices(licensedcontentsetc) SAML IdP SAML SP Learning managementsystems (Moodleetc) Uni2 SAML IdP SAML SP Researcherservices(CSC’smachinesetc) Uni3 SAML IdP SAML SP Financial services(Travel expencesetc) Uni4 SAML IdP SAML SP Collaboration(Wikisetc) Uni5 SAML IdP SAML SP Uni6 SAML IdP
Virtu • Authentication for Public Servants • A service of the State Treasury • Operatedby CSC • In productionsince August 2009 • IdPrequiresexternalsecurityaudit • State Treasury Government IT Shared Service Centre • Possiblefuturepresentation?
Summary • Manysources of strongidentities, bothcommercial and governmentoperated • Earlyadopterwithsomelegacypre-SAMLcomponents • Openinterfaces, standards-basedwherestandardsexist • Continuedgrowth in allservices • Extensible to support new authenticationmethods (eg WPKI)