Creating a European entity Management Architecture for eGovernment IdGUIDE Keiron Salt What is GUIDE ? GUIDE (Government User Identity for Europe) is an European Union funded research project conducting research and technological development with the aim of creating a technological, institutional, policy and socio-economic architecture for secure and interoperable e-government electronic identity services and transactions for Europe. Road of GUIDE and EU 2004: Lisbon Agenda 2006: Manchester 2010 Declaration Encourage Free Movement of Citizens, Capital and Services across the EU to encourage the Internal Market Pan-European Identity Interoperability GUIDE Architecture Summary Objective Creating an open architecture for Pan-European e-government electronic identity interoperability To enable Member States to agree on the identity of an entity (for example a citizen or a business) In order to enable eGovernment sectoral applications to conduct cross- border transactions with respect to that entity The GUIDE architecture aligns with, leverages, and exploits both of The IDABC European Interoperability Framework(EIF) architecture Emerging International Standards for Federated Identity Management The Motivation View - What are the Business Problems were trying to solve? - Getting the Scope right. Is About Identity data interoperability Authentication Cross border services Standards adoption Standards specification Is Not About Storing Identity data will in GUIDE Application data interoperability Authorisation Internal MS services Re-inventing Implementation Guide delivers identity interoperability across the Member States of the EU. Guide is not an end in itself, but a key enabler for Application inter- operability to enable the Lisbon Initiatives which deliver the real benefits. Guide aims to enable uninhibited movement and seamless government engagement for citizens & businesses across the EU. Guide positioning with other EU Initiatives IDABC Generic middleware, Network Guide Identity Interoperability eID Smart card standards, & Issue Prime Privacy Enhancement PKI Certificate Management SchengenEBReTEN20 eGOV Apps Applications Front-End Enrolment, etc Back-End Interoperability IDABC Architecture alignment Guide & EIF / IDABC Synergy IDABC PEGS Architecture CGEY GUIDE Topology MS1 Cross Domain MS3 Cross Domain MS2 Provider Hub MS4 Provider Hub MS5 Provider Hub Application Service Provider Sub-national Identity Provider Hub National Identity Provider Hub EU Identity Federation National Identity Federation EU Identity Provider Hub Identity Provider Hub Subsidiarity v Standardisation Identity Provider Service Consumer Service Provider UNIFORM FIM MODEL FIM Standard Models expect all actors to fall under the same model GUIDE acknowledges that MS can utilise different FIM models UNIFORM FIM MODEL Guide GW Guide GW Guide GW Identity Provider LIBERTY Service Consumer SHIBOLETH Service Provider WS-FEDERATION Uniform FIM Guide FIM Gateways must act as Proxies for the Real actors Pan EU Citizen Authentication Scenarios Applications Identity Providers Access Channels Member State 2 Applications Identity Providers Access Channels Citizen from Member State1 Civil Servant Civil Servant Citizen present, and logging on to foreign system as a user (SSO) Citizen present, but user is a foreign Civil Servant Citizen not present, administrative trigger eg. receipt of E101 form SAML & Liberty Alliance Profiles Member State 1 GUIDE gateway GUIDE Software Agent - Logical Component Architecture GUIDE Request Handler GUIDE SAML Profile Interface Transformation Services GUIDE Interaction Service GUIDE Discovery Service GUIDE Liberty Profile Interface Transformation Services GUIDE Software Agent Member State Interface GUIDE SAML Interface GUIDE Liberty Interface Main GUIDE Core Services Logical Process Flow Identification Authentication Assertions Attribute Provision Interaction Discovery Identity Requests Transformation Services Infrastructure Services Trust Services Security, Assurance, Privacy Redirection Consent Usage Directives Update Lookup Service Profiles & Protocol Bindings Guide Abstract Service Model http IDABC eLink Binding? Liberty ID-WSF V2.0 Authentication MechanismAuthentication RealmAuthentication Context Guide Profile of Liberty Specs Guide Mechanisms Guide Realms Guide Assurance Levels SAML v2.0 Shiboleth WS-Federation SOAP Guide Liberty Profile for Discoveryurn:liberty: id-sis-pp: urn:liberty:id-sis-pp:home urn:liberty:id-sis-pp:informalName urn:GUIDE:Realm:SocialSecurity urn:GUIDE:Assurance:2 not used Naming standards Profiling Guide SAML Profile for Identification