140 likes | 240 Views
Enabling Altinn for foreign users – the long-term scenario. Jon Ølnes, jon.olnes@difi.no Difi – Agency for Public Management and eGovernment, Norway Workshop, Altinn, Oslo 13 th October 2011. Authenticating (with attributes) foreign user – step 1, initiating STORK.
E N D
Enabling Altinn for foreign users – the long-term scenario Jon Ølnes, jon.olnes@difi.no Difi – Agency for Public Management and eGovernment, Norway Workshop, Altinn, Oslo 13th October 2011
Authenticating (with attributes) foreign user – step 1, initiating STORK Public agency, service owner Service in Altinn Altinn service platform Altinn portal Request authentication with selected attributes ID-porten authentication portal Norwegian PEPS, STORK system New user, must register Foreign user, which country? Foreign user Foreign user To home country
STORK authentication and attributes process flow PEPS approach Middleware approach not described here ID-porten not shown • User (from Belgium) – Altinn (in Norway) • User –> (via ID-porten to) Norwegian PEPS, asks “where are you from” –> Belgian PEPS –> Authentication Portal in Belgium • User authenticates in Belgium using “local” eID • Belgian PEPS (or Authentication Portal) may add attributes (from Attribute Providers) • SAML token with ID and attributes from Belgian PEPS –> Norwegian PEPS, to ID-porten, transforms to Norwegian SAML –> Service Provider • User authenticated to service, attributes delivered
STORK attributes • eIdentifier • Given Name • Surname • Inherited Family Name • Adopted Family Name • Gender • Date of Birth • Country of birth • Residence Permit • Nationality • Marital Status • Residence Address • Text • Canonical • eMail Address • Title • Pseudonym • Age • IsAgedOver
Authenticating (with attributes) foreign user – step 2, STORK response Public agency, service owner Service in Altinn Altinn service platform Altinn portal ID-porten authentication portal Norwegian PEPS, STORK system User registration, pre-filled form from attributes Modified ID-porten SAML with foreign identifier and attributes Foreign user From home country PEPS
Mapping foreign identifier to D-number Public agency, service owner Service in Altinn Altinn service platform Register of Business Enterprises Population Register Altinn portal ID-porten authentication portal SAML with D-number and possibly attributes New user: Request D-number and establish mapping from foreign identifier – attributes may be used Existing user: Map foreign identifier to D-number Update based on D-number Authenticated foreign user, possibly with attributes Foreign user From home country PEPS
Handling documents signed by foreign users Public agency, service owner WS interface Service in Altinn Altinn service platform Altinn portal Process signature in Altinn Assess eID validity and quality Upload signed document(s) for service Foreign user
Validation Service from PEPPOL specs. Official EU system –in place but with some deficiencies … Qualified CAs … Other CAs OCSP (or CRL) XKMS XKMS Web Service, eID validation Response signed by ”local” VS Signer’s CA Trust status list service Validation Service Signer Validation Service Country 1 Altinn Norway
Sending document to foreign user in Altinn Public agency, service owner WS interface User’s message box in Altinn Altinn service platform Authenticated user, foreign identifier Altinn portal Request authentication (no attributes) ID-porten authentication portal Norwegian PEPS, STORK system eSignature verification Foreign user Agency signs response and uploads to Altinn User logs on to retrieve message Foreign user, which country? Foreign user To home country
Sending to foreign user via transport infrastructure Public agency, service owner WS interface User’s message box in Altinn Altinn service platform Service Metadata Publisher Service Metadata Locator Altinn portal Altinn Access Point PEPPOL Transport Infrastructure (BusDoX) Country B User’s message box in home country Log on in home country to retrieve eSignature verification Message routing Agency signs response and uploads to Altinn User’s profile set to forwarding Access Point, secure delivery, user’s home country Foreign user
Receive signed document from user via infrastructure Public agency, service owner Public agency’s message box in Altinn WS interface Altinn service platform Service Metadata Publisher Service Metadata Locator Altinn portal Altinn Access Point PEPPOL Transport Infrastructure (BusDoX) Country B User’s message box in home country Message routing eSignature verification Signed document from user (e.g. receipt confirmation) Access Point, secure delivery, user’s home country Foreign user
Authenticating (with attributes) Norwegian user to foreign service Register of Business Enterprises Other attribute sources Population Register ID-porten authentication portal Norwegian PEPS, STORK system Authenticate using Norwegian eID STORK Attribute Providers Authenticated user with attributes Norwegian user from service (via PEPS) in other country Norwegian user
Authenticating (with attributes) Norwegian user to Altinn Public agency, service owner Service in Altinn Altinn service platform Register of Business Enterprises Population Register Altinn portal ID-porten authentication portal New user, must register User registration, pre-filled form from attributes Authenticate using Norwegian eID Attribute Providers Request authentication with selected attributes Return SAML token with selected attributes Norwegian user