STRATEGIC framework has integrated the STORK [6] results with the aim of providing trusted and secure component to cloud services provided by the public administrations. The Cross-Border Authentication (CBA) service has been integrated in the cloud Open Market Business Service provided by the municipality of Genoa.

The use of the electronic identity (eID) for accessing securely online public administration services is being promoted by the European Commission, not only at country level but extending the use of the online services from other EU Member States in a secure way. Leveraging STORK outcomes these services can provide a secure interoperable authentication in cross-border scenarios, enabling STORK to perform authentication on their behalf.

Current situation

Along the project the STORK component was updated for a better integration with the service of the Genoese pilot. In order to allow working in a cloud environment provided by the STRATEGIC infrastructure, the STORK component was also configured.

Based on the description of trust and security components provided in D2.3 Framework Architecture and Technical Specifications [2] a prototype was implemented [3].

In a second phase this component was improved [4] including:

  • Non-repudiation improvement: This was assured storing the signed assertions encrypted as a proof of the use of the Business activities engine.
  • Integrity of the data: using HTTPS connections between the different components.

At this moment the STORK component, i.e. CBA component is deployed and running on the cloud environment owned by Genoa.

Public administration leveraging STORK

STORK infrastructure represents the main identity management initiative in Europe establishing a European eID interoperability platform that will allow citizens to authenticate to across borders, using their national eID.

The use of STORK allows a European public administration provides online services in a cross-border scenario. In this case the Open Market Business service provided by the municipality of Genoa uses CBA component for accessing STORK network, giving European citizens the opportunity to securely use foreign services using their eIDs.

The following figure describes the communication structure and the different components the STORK network is built up.

image019

Figure : STORK Communication Structure.

The figure shows two PEPS, one in the country of the user (called citizen), one in the country of the service provider. In STORK, the former is called C-PEPS (Citizen-PEPS), the latter S-PEPS (Service-Provider-PEPS). The authentication process is as follows:

  1. The process starts with the user accessing a STORK service provider.
  2. The STORK service provider makes issues a call to the CBA component which issues an authentication request to the S-PEPS. This request declares the required attributes applying the national attribute domain of the service provider.
  3. The S-PEPS translates the required attributes to the attribute domain of the citizen’s country (a step called “mapping” in STORK), locates the responsible PEPS for the citizen (i.e., C-PEPS), and forwards the authentication request.
  4. In response, after authenticating the user via the Authentication Portal, C-PEPS sends a SAML assertion back to S-PEPS who then applies the inverse attribute translation and issues a new assertion containing these translated attributes.
  5. The service provider, on receiving this assertion, grants access to the resource.

This kind of STORK services is not restricted for cross-border authentication; Italian citizens also can take advantage of the Italian STORK network.

In summary, the use of the CBA component gives online public bodies services the access to the STORK network taking advantage of its trusted and security features.

STORK integration on STRATEGIC

The integration of STORK network into the cloud STRATEGIC platform is an easy process and involves the deployment of the CBA on the managed cloud, and the configuration of this STORK service.

Besides the CBA service component an additional component called CBA client is provided for integrating the Open Market Business Service into the CBA service. This client can be embedded into the Business service for accessing the CBA component and facilitates the developers’ implementation work.

The CBA client can also be used for both testing and implementation purposes.

Conclusions and Lessons learnt

After the integration of the STORK components into the Open Market Business service, is worth to describe the lessons learnt during the integration process. For this purpose feedback from pilot partner was asked for improving future integrations. The conclusions achieved for the SEMIRAMIS components (1 to 7 in section 6.5) also apply to the STORK component, including an additional one:

  • The main part of discussions was related with the user definition for piloting and testing (real vs fake users, finally was agreed to use real users but fake data) and the data needed by the Open Market Business service that must be retrieve from the STORK network (name, surname, eIdentifier and fiscal code were agreed).

Future Enhancements

The STORK network has evolved from version 1.0 to STORK 2.0. In September 2014 entry into force the eIDAS Regulation (910/2014) [6] and will be compulsory to be adapted in September 2018 for public administrations as the following figure shows.

Figure 7: eIDAS Timeline of implementation

eIDAS Regulation, which includes the development of an interoperability framework and encourages governments to make their eID schemes more cross- border friendly, can be positive for STRATEGIC. The influence of the eIDAS Regulation might help to lower the legal and technical hurdles and increase the amount of possible eID means that Brokers service can support.

The eIDAS Regulation enables the use of electronic identification means and trust services (i.e. electronic signatures, time stamping, registered electronic delivery, etc) by citizens, businesses and public administrations to access on-line services or manage electronic transactions.

Currently the eSENS European project [7], based on STORK project, is trying to facilitate the deployment of cross-border digital public services through generic and re-usable technical components. There are 20 European countries involved, which means that most of the European public bodies are developing the new nodes for the future network. The evolution of the CBA service will be upgrading to this new network, in the near future.