Contents

1. Introduction

The Once-Only Technical System relies of the use of eIDAS and the existing infrastructure of eIDAS nodes to authenticate the user and to obtain assured identity attributes. A Data Service can use these identity attributes to match evidence requests to any relevant evidences. The identity attributes are received from the Online Procedure Portal or as a result of re-authentication. However, the use of eIDAS does not preclude the use of other mechanisms to provide complementary or additional security measures. This section describes two such mechanisms.

  • An authentication verification service that a Data Service can use to verify that the user identity attributes in the evidence request link to a recent eIDAS authentication transaction.
  • Authorization of requests for evidence relating to represented persons.

These features should be viewed as opt-in elements of the Once Only toolbox that competent authorities in a Member State may use in their implementation of the Once Only technical system. A Member State that does not want, or is not able, to use the service does not need to take any action.

In the current version of the technical design documents, the authentication verification and authorization of requests for evidence relating to represented persons features rely on national services that only involve communication between components within a single Member State. There is no cross-border interoperabilty dimension and therefore no technical design information that needs to be shared between Member States.

2. Authentication verification

Once-Only evidence requests are requests from evidence requesters to evidence providers for evidence relating to identified users acting either directly or through a representative. The syntax and semantics of evidence requests is defined in Chapter 4, which specifies how person identity attribute information is expressed. Attributes whose values are obtained following an eIDAS authentication and delivered as part of an eIDAS assertion are marked with the level of assurance of the eIDAS identification means.

It is the responsibility of the Online Procedure Portal (or of a Once-Only Staging Area, if used) to make sure the assured identity data that is included in the request matches the information provided using the eID means issued by an eID scheme notified under eIDAS. Based on the the identity data received, the Data Service decides if the user, once re-directed, needs to re-authenticate. 

Data Services could use a combination of identity matching based on the attributes received with an authentication verification service. This would allow them to verify that an eIDAS authentication took place for a user whose identity attribute values and indicated level of assurance, match the data in the evidence request, that this authentication took place sufficiently recently to be plausibly related to a single user session and that the authentication was made by the user for the execution of an electronic procedure in the scope of the SDG. 

The following diagram shows a situation in which this service is provided by the eIDAS Node Member State specific module of a Member State in which a Data Service is requested to provide evidence on a user. For ease of understanding, this diagram is simplified and does not include the use of 4.9 - Evidence Preview - Q4 2022.

In step 11, it is shown that the service node would need to log data about the authentication, including the time at which it took place. In step 20, it is shown that the service node accepts requests from a Data Service to verify that a related authentication took place. The service determines, in step 21, whether the claimed identity data matches the data that was provided in prior authentications and how much time expired since the last such authentication and the context in which the authentication was made. Based on this, the service provides, in step 22, either confirmation or denial that the request matches a recent authentication. If authentication is verified, the Data Service may proceed to making the evidence available. If not, it should reject the request.  


If limited to use by Data Services in the same Member State in which the user authenticated, the authentication verification service is a national service. As per subsidiarity, it is up to a Member State and its competent authorities to deploy and use such service. If such a service is available, Data Services should use it as it provides an important additional security layer to the use of the Once-Only Technical System.  

3. Authorization of requests for evidence relating to represented persons

For evidence relating to legal persons for use in business-oriented procedures, evidence requests may include identity attributes of both the represented legal entity and the representative.  These attributes are described in section 2.1. and may be assured using eIDAS as explained in that section and in section 2.8 of the eIDAS SAML Attribute profile, v1.2

A Data Service may be integrated into a service (for example, a Mandate Management Service) that can validate whether the representative is authorized to obtain evidence for the represented person. If access is not authorized, the Data Service must return an error message containing a RegRep AuthorizationException. 

This additional service is internal to the Member State and therefore any further details are out-of-scope for these technical design documents. 










  • No labels