Danish e-Government Architecture

On June 13 2003 the Danish Ministry of Science, Technology and Innovation published a white paper* on governmentwide enterprise architecture. This whitepaper was the starting point for the succeeding initiatives in the Danish architecture for eGovernment programme which covers all tiers of government. The paper Architecture for e-Government* from sums up the major initiatives up until March 2004.

A National OIO Enterprise Architecture Committee has been established. A National OIO Enterprise Architecture Forum covering the same subjects is open for all interested parties within government as well as within the private sector.

Ressources in english are marked with *.

from http://www.oio.dk/arkitektur/eng

The Interoperability Framework is the Danish e-Government Interoperability Framework.

The framework includes recommendations and status assessments for 609 selected standards, specifications and technologies used in e-government solutions.

This is version 1.2.14 of the framework. If you know the Interoperability Framework already, see What's new?. Newcomers might want to check the survival guide. All users should check the advanced search services, and of course also read the (updated) guidelines for use. Above all, everyone should dig into the 609 standards in the categories below.

from http://standarder.oio.dk/English/

There is a blog in English and Danish - Interoperability Framework Blog.  Here's the latest English posting, from February 13, 2006

Another standard has been added to the Framework. This time it is Role-Based Access Control (RBAC).

RBAC is a conceptual model, which uses employee assignments, functions, qualifications, responsibilities and authorizations as its starting point. RBAC is based on users, roles, role hierarchies, relations and limitations (e.g. separation of functions) and is a foundation for controlling who is able to do what, when, where, in what order etc.

As a part of the Danish government wide enterprise architecture a project focusing on a common approach to user and access management has been established. This project is among other things concerned with RBAC.

Previously:
April 30, 2006  Government of Ontario EA and SOA
April 30, 2006  Government of Canada EA and SOA
November 24, 2005  EA and SOA info overload, courtesy of John Gøtze

Info Grid 2005 - Tuesday 27th, 13:30 - Internet2 and Shibboleth

13:30

Internet2 and Shibboleth (Shibboleth and Privacy)
Peter Brantley, California Digital Library

Presentation: ppt (0.8M); pdf (1.3M);

Access Management

list of requirements from A White Paper on Authentication and AccessM anagement Issues
by Clifford Lynch, CNI, 1998

Distributed Access Management

registration and authentication: library, college, university
authorization and accounting: the resource owner

Role vs. Identity

Conceptually, licenses to restricted content are by ROLE e.g. {member of} University of California

Therefore IP address authentication is inherently kludgey.

Improved AM

* something opaque that a service can use to associate with me and give me access
* if a service provider knows where you are from, it can ask your identity provider
* once authenticated, access can be determined by role
* SP can ask therefore only for relevant attributes
* might be {member of}, or {staff}, or {IT Director}
* this approach enables finer role-based distinctions

This is Shibboleth

three things:
* Shibboleth Project
- umbrella of activities around federated authentication and access management, still ad hoc
* Shibboleth Specs
- SAML 1.1 and enhancements
* Shibboleth System
- Internet2-developed open source (reference) implementation
- there are other implementations available

Shibboleth status
- Elsevier Science Direct, OCLC, JSTOR, EBSCO, Proquest, Blackwell
- international uptake: Switzerland, Finland, UK, Australia
- production federations (e.g. InCommon)
- discussions involving "Leagues of Federations"
- supports US Federal E-Authentication Initiative
http://www.cio.gov/eauthentication/

typically will send both institutional attribs (e.g. contract #) as well as individual attribs

could have an attribute release policy interface so that users can control who gets what attributes

Shibboleth Federations
- Usually nationally-oriented
- Federation operator handles coordination and managment of operations
- coordination, management, sets of atrribute-types, what to trust, for what purposes, policy, operational direction
- Federations are very hard work, not to be taken lightly

Meta-Federations

- Shibboleth InCommon and US Federal Federation (FedFed) are establishing peering
- Sun's Project Liberty and Shibboleth will interoperate through advancement of technical standards
- increasing need to support Virtual Organizations (VOs)
- expect eventual formation of Shibboleth-enabled software-based infrastructures, extending the concepts of
VOs, that support personal attribute requests, very small groups

[Ohio State is one of leading adopters]

Meta-Fed Discussions: US, UK, Netherlands, Finland, Switzerland, Australia, Spain, ...

Issues:
- policy framework
- privacy needs
- working with multinational service providers
- scaling WAYF

Slaughter meeting, Oct. 2004
Good meeting, not wholly conclusive.

Different authentication technologies and infrastructures exist within Europe.

EC funded GN2: eduroam, eduGAIN

InCommon...
operations

Origins and targets establish trust bilaterally in out-of-band or no-band arrangements (using shared
posting of practices)

InCommon progress

- Eduperson attributes

more challenging:
- having apps make intelligent use of federated identity
- legal issues
- scalable paths for LOA [?] components

Shib communities

Flexible creation of federations within federations, of varying duration, are increasingly common
in the US
- RedCross for Hurricane Katrina
- UCTrust

Next Steps
- multi-Federation world
- enhancing support for US gov auth
- support GridShib
- encourage continued commercial and vendor uptake
- interop with Microsoft
- extending Shib beyond the browser, into service-service interaction
- Shib 2.0 utilizing SAML 2.0, enhances functionality.  Design has been committed.

So... what's SAML?

[explanation of SAML]

An XML-based framework for exchanging security information.

Shibboleth and SAML

- Shibboleth is a profile of SAML
- extends SAML through Shib's data flow specs

Privacy and User Consent

- idea is that you only release what attribs you specify

Trade-offs

Anonymous use hinders PZN; persistent anonymized identifiers permit a range of PZN options.

* More dialogue on privacy and policy best practices is necessary.

Comments: JSTOR - little Shib uptake - used as a research project - everyone is using IP
following Q: why isn't there more adoption?  what is needed for broad-based adoption?
A: libraries say "what we works well enough" using IPs / proxies / VPNs
there is also a transition cost, user education

Shibboleth is currently gaining more tracking in accessing administrative apps (e.g. financial benefits management).

not much traction in university libraries

However, there is no better system available for this type of role-based authorization.

[Q about US PATRIOT Act and privacy implications]