1 / 44

C2G and B2G Authentication and Authorization in Finland

C2G and B2G Authentication and Authorization in Finland. Special Discussion Topic Kantara Initiative eGov Working Group Prepared by : Keith Uber Ubisecure Solutions Oy 31.1.2011. Agenda. Citizen Authentication Citizen Attributes Commercial Identity Providers

george
Download Presentation

C2G and B2G Authentication and Authorization in Finland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. C2G and B2G Authentication and Authorization in Finland SpecialDiscussionTopic KantaraInitiativeeGovWorking Group Preparedby: Keith Uber Ubisecure Solutions Oy 31.1.2011

  2. Agenda • Citizen Authentication • Citizen Attributes • Commercial IdentityProviders • Company Authentication • Company Authorization • HigherEducationsector • Authentication of Civil Servants • Questions / Discussion

  3. Finland • 5.3 million residents • Parliamentary republic with central government • 336 local municipalities • EU member since January 1995

  4. FinnishPersonalIdentificationNumber • National ID number • Widelyusedincorrectly for identification • Format YYMMDD?123X • Exposesbothdate of birth and gender

  5. eID in Finland • eIDcardcontains • name • optionallyemailaddress • SATU (electronicidentificationnumber) • Notmandatory • Price 51€ • The SATU numbercanbeconverted to a personalidentitynumberthrough a webservicesquery to the populationregister

  6. eIDStatistics • End of November 2010 • 341,800 certificatesissued to date • 272,200 currentlyvalid

  7. PopulationRegistry • Provides Web Service interface to populationregistry data to authorizedparties (VTJKysely) • Interfaceprovides • Citizen, building and realestateinformation • Over 80 differenttypes of attributesavailable • Web serviceinterfaceauthentication at connectionlevelusingclientcertificates

  8. Banks as Commercial IdPs for eGov • TUPAS is a jointbankspecification for electronicauthenticationby the Federation of Finnish Financial Services • Proprietoryprotocol • Usermustbestronglyauthenticated • Typically PIN/TAN list • Banks providelimitedfinancialliability • Userapproves and certifies the personal data released

  9. Banks as Commercial IdPs • 10+ banks • Commercial service • Contractsbetween SP and eachbankrequiredincludingtypically • Establishmentfees • Monthlyfees • Transactionfees • Similarprocess to Verified By Visa etc

  10. Familiarprocess

  11. Bank authentication

  12. Indexed TAN

  13. Attribute release consent

  14. Telcos as Commercial IdPs for eGov • Commercial Wireless PKI (MPKI, WPKI) servicelaunched 30.11.2010 • Named ”Mobiilivarmenne” Mobile Certificate • http://www.mobiilivarmenne.fi/en/en_2.html • Supportedby 3 out of 4 national telcos • Competingwith TUPAS service • Roamingfunction - onecontractwithonetelco is enough • ETSI MSS Mobile Signature Service

  15. Telcos as Commercial IdPs • Long history – previous studies and commercial trials commencing around 2003 to use national ID in the mobile had failed • New business model, purely commercial • Requires government-issued CA license with stringent auditing • Applicationembedded in SIM (applicationtoolkitapplication)

  16. Telcos as Commercial IdPs • Works whileroaming (SMS based transport) • Pricing for endusers • Elisa: 0.09 per transaction (FreeuntilNov 2011) • Othertelcopricingunknown • Pricing for SP services • Unpublished • Expected adoption for C2G services in 2011

  17. eGovSharedIdentity Services

  18. Tunnistus.fiIdentityProvider • Tunnistus meansIdentification • Jointproject of the TaxAdministration, Ministry of Employment and the Economy and the Social Insurance office • IdP Proxy service for Banks and eIDcards • JointventureconsortiumcontractsignedMarch 2003 • RFQ March 2003, Implementation 5 months • OperationalJanuary 2004

  19. Accessing a service

  20. IdPDiscovery

  21. Authenticate at bank (PIN/TAN)

  22. Access to service

  23. Tunnistus.fi • Web single sign-onbased on bothproprietory and SAML2 protocols • Liberty Interoperabletested • Single logout

  24. Tunnistus.fiStatistics Chartcredit: Verohallinta, Finnishtaxadministration

  25. Vetuma • Authentication and paymentgateway for eGov-services for citizens • OperationalJuly 2006 • Largelyused for regionalgoverment (localcouncil) services • Based on bothproprietory and SAML2 protocols • State Treasuryservice

  26. VETUMA Statistics • Services usingauthentication (t) • 47 localgovernment • 25 governmentservices • http://www.suomi.fi/suomifi/tyohuone/yhteiset_palvelut/verkkotunnistaminen_ja_-maksaminen_vetuma/yleiset_materiaalit/vetuma_palvelun_tilanne_joulukuussa_2010/VETUMA_tilastot_3_2010.pdf

  27. Tunnistus.fi and VETUMA federation • Twosimilarsystemscoverdifferenttargetgroupsunderdifferentgovernmentbudgetswithdifferentservicemandates • New governmentportalservicestarted in 2011 is drivingincreasedauthenticationvolume • Tunnistus.fi and VETUMA willbefederatedtogether in Q1 2011 usingdiscoverybased on the CDC approach • Stakeholdersdeveloped the eGovDeploymentProfile for Finnishpublic sector SAML2 WebSSO deployment profile. The profile is based on the KantaraeGov implementation profile 2.0 and the SAML2int.org ver 0.2 deployment profile[1].

  28. KATSO B2G AuthN & AuthZ • Self-serviceauthentication and authorizationservice for governmente-services • Userself-registration • Roledelegation (to othersub-user) • Power of attorney (user to user, user to organization, organization to organization) • Self-servicecredential management

  29. KATSO Roles • Differentrolegroups • Internalsystemroles • General roles • Service specificroles • Total roles: 51 Seeroledescriptions • Rolesprovidedby KARVA SAML2 AttributeAuthority • SP queriesroleinformationafterauthenticationusing SAML2 AttributeQuery

  30. KATSO Web Services • KATSO operates a Liberty Alliance ID-WSF 2.0 WSIDP alsoenablingintegration of non-browserclients

  31. KATSO History • Introduced 2006 • 2009: over 30 services • Top 3 • Unemploymentregistration (Tax) • Taxcardordering (Tax) • Registering as a jobseeker (Social insurance)

  32. KATSO Statistics Chartcredit: Verohallinta, Finnishtaxadministration

  33. KATSO • Twotypes of authentication • Strong: Katso OTP (One timepassword PIN/TAN) • Weak: PWD (Username and password) • Strongauthenticationinitialregistrationbased on bankassurance (TUPAS) orphysicalvisit

  34. KATSO • Use of KATSO initiallylimited to consortiummembers • Legislationchangeshavepermittedwideruse • Use outside of governmentservicesstilllimitedbylegislation

  35. Selfserviceenrolment

  36. Haka Federation for Education • Identity federation for highereducation • SAML2 (almost 100%) • Usedby 42 out of 43 highereducationinstitutions • Operatedby CSC • More info

  37. Haka Federation Haka federation (operatedby CSC) Universities Service Providers Uni1 Libraryservices(licensedcontentsetc) SAML IdP SAML SP Learning managementsystems (Moodleetc) Uni2 SAML IdP SAML SP Researcherservices(CSC’smachinesetc) Uni3 SAML IdP SAML SP Financial services(Travel expencesetc) Uni4 SAML IdP SAML SP Collaboration(Wikisetc) Uni5 SAML IdP SAML SP Uni6 SAML IdP

  38. Haka: 7.7 millionlogins in 2010

  39. Virtu • Authentication for Public Servants • A service of the State Treasury • Operatedby CSC • In productionsince August 2009 • IdPrequiresexternalsecurityaudit • State Treasury Government IT Shared Service Centre • Possiblefuturepresentation?

  40. Summary • Manysources of strongidentities, bothcommercial and governmentoperated • Earlyadopterwithsomelegacypre-SAMLcomponents • Openinterfaces, standards-basedwherestandardsexist • Continuedgrowth in allservices • Extensible to support new authenticationmethods (eg WPKI)

  41. Questions / Discussion

More Related