Building safe authentication
Federated Authorisation Across European Public Administrations
When is this action of interest to you?
You have a role or function as an official within a European public administration. You need to access a secure European Commission web site while being recognised as having the particular role or function given by your administration. This action will extend the existing EC electronic identification through ECAS-STORK (European Commission Authentication Service integrated with Secure idenTity acrOss boRders linKed) by complementing your identity with authorisation information assigned by your home country, such as your position in a public administration on behalf of which you are entitled to act.
What is this action about?
The action aims to extend federated authentication (i.e. verifying if the user is the one he claims to be) by using STORK for federated authorisation (i.e. verifying if the user is entitled to use the requested information or functionality). It allows users to log in to EC applications and to be granted access based on their role or position. For example in case the user is a public official and the application aims at usage by an administration.
Access rights are fully administered in the users' home country. The action removes the overhead to manage users at national level for internal needs and at ECAS level for EC information systems.
The scope of this Action includes reviewing existing approaches in the Member States, choosing a suitable model, defining common, generic specifications and implementing the chosen model. These project’s steps cover the needs of a federated authorisation solution. It especially addresses the risks and concerns of heterogeneous solutions within the Europe and potential architectural approaches to fulfil the needs of trust and security.
What are the objectives?
- Complementing electronic identities with authorisation information.
- Decentralising the management of authorisation information and remove redundancies.
What are the benefits?
- Delegation of authorization tasks to Member States.;
- Usage of national models for authorization tasks with ECAS solution.
- Local, self-administrations..
What are the next steps?
There was a pilot to demonstrate that the federated authorisation is technically possible with the countries running a middleware-based model, where the sending Member State does not operate a proxy for the purpose of authentication of citizens to relying parties of other Member States. This pilot was done with CIRCABC. The sending Member State provides a middleware to other Member States, which is operated by the operator(s) of the eID-Connector(s) of the receiving Member State.
The next step will be to present the results to the Member States, and if agreed, to extend the pilot to the countries running the proxy-based model. In this model, the sending Member State operates an eID-Proxy-Service, relaying authentication requests and authentication assertions between an eID-Connector operated by the receiving Member State and the eID scheme of the sending Member State. At the end of the pilot the new feature(s) will be submitted as a modification to the eID Building Block of the Connecting Europe Facility (CEF).