MAS Municipal Authentication System Valentino Ditoma Deputy Director of eGovernment Technologies Anc

1
MAS(Municipal Authentication System)Valentino
DitomaDeputy Director of eGovernment
TechnologiesAncitel S.p.A.
2
Municipal Autentication System

• Framework for web applications that manages
• - Authentication
• - Authorisation
• - CRM
• Modular architecture
• Currenty used by 18 Italian municipalities and
  being validated at European level through the
  eTEN project CARMEN

3
Municipal Autentication System

• System based on the knowledge gained during the
  Italian Identity card experimental project of the
  Ministry of the Interior to manage the identity
  of citizens regarding public services
• Aiming at providing a standard solution for
  service authentication of all public
  administrations by 2006

4
Municipal services in which is being used

• Payment of local taxes and fines
• Access by citizens, civil servants and police to
  protected citizen data (civil register)
• Remote filing of applications (administrative
  procedures, building licenses, etc.)
• Retrieval of certificates issued by public
  administrations
• Public authorisation procedures to enterprises
• Managing of authorisation flows involving
  different administrations.

5
Next Step

• The user authentication system will be presented
  to local service providers so they can
  authenticate automatically in their own web
  services all citizens identified by the portal of
  the municipality
• (it is just needed to install the client
  application in the server of the provider)

6
Authentication Server
7
Authentication Server goals

• Centralized Authentication server
• Single Sign On
• Allows different authentication methodologies
• Enables access to multiple data sources to verify
  user credentials

8
Authentication Server centralized authentication
Service 1
Authentication Server
Service x
Token of authentication
Authenticated Access
Browser
Service n
9
Authentication ServerCommunication protocol
WEB Service
INTERNET
Request of Service (1)
http request redirected to AS (2)
Browser Internet
Access to Service by authenticated user(5)
MUNICIPALINTRANET
http request redirected to Service (4)
Authentication Server(AS)
Request of authentication (3)
10
Authentication Server Single SignOn

• Centralized Authentication
• Possibility of accessing many web services
  (federated) through a single user
  authentication
• Services are federated on the Authentication
  Server

11
Authentication Server authentication methodology

• Possibility of configuring different
  authentication systems

Pre-existing Authentications (ex. login/password)
Authentication Server
eID card
Extensions New authentication systems
12
Authentication Server access to external
databases

• User validation through pre-existing external
  databases

Authentication Server
CheckUserID / Password
CheckUserID / Password
DB
LDAP
13
Authentication Server service integration

• Integration through Apache module
• Transparency of web services
• Java library
• DLL module for Microsoft

14
Authentication Server schema
CIE
HTTPS
Browser
C
Servizio A
Internet
L
Web
Servizio B
Internet
I
Server
E
Servizio C
Postazione Internet
N
T
Servizio D
Modulo
custom
del comune
Tomcat
Modulo
Custom
AuthAdmin
AS CORE
Modulo LDAP
(
Auth
)
Black List
Modulo CIE
Verifica validit
à
CIE
certificati
Modulo DB
DB
DB
Basi dati
DB
Server Autenticazione
Basi dati comunali
o nazionali
15
Authorization Server
16
Authorization Server goals

• Centralizes authorizations
• RBAC Model
• Single interface with Services
• Secure comunication with Services
• Multi-platform
• Independent from Authentication Server

17
Authorization Server RBAC model
Users
Roles
Resources
Permissions
Resource Permissions
18
Authorization Server modules

• Possibility to configure CUSTOM authorization
  modules

Authorization Server
CheckAuthorization
CheckAuthorization
Custom Module
DB
19
Authorization Server integration of services

• Java library
• DLL module for Microsoft

20
Customer Relationship Management
21
CRM goals

• Retrieve the information
• Determine the categories of users
• Manage the multi-channel interaction with
  users/citizens
• Tracing service
• Statistics

22
CRM repository of information

• CRM centralizes the user information (user
  attributes)

User attributes
Registration in mailing list
Preferences
23
CRM categories of users
Attribute 1 ltoperatorgt value
Attribute n ltoperatorgt value
Category X
24
CRM multichannel services

• CRM gives the possibility to send messages
  through different channels

Mail
WEB Messages (Popup)
SMS
E-Mail
25
CRM WEB messages
Authentication Server
Web Access
Browser
Web Message
CRM Server
26
CRM tracing

• Centralized tracing system for anonymous
  searches, respecting users private data

WEB service 1
Access 1
Trace 1
Trace 2
Browser
CRM Server
Access 2
WEB Service 2
27
Service On Line survey
28
SOL what is it ?

• a secure electronic voting system
• an open source WEB application
• reproduces voting conditions as in a real
  election process (List of Voters issued by the
  Municipality polling station ballot box
  ballot counting)

29
SOL architecture
AUTHS
AS
DB
Voting authorisation
Authentication by administrator AVS
Authentication by administrator BCS
AVS Admin
Authentication of the user
BCS Admin
AVS CORE
BCS CORE
BCSClient
AVSClient
Xml cryptographed on HTTP
Controller
Controller
BCS Public
Applet JAVA
Browser Internet
eIDcard
30
SOL polling procedure
Request decoding of encrypted key
AVS
BCS
Private key
Ballot authorisation request
Sending of encrypted ballotAuthorisation
Public KEY
Applet Java Voter