Trust and Internet Identity Meeting Europe
5-6 Feb 2018: Workshops and Tutorials
7-8 Feb 2018: Unconference

TIIME 2018: Current state of Danish federations

(Kjeld Froberg)

Kjeld: We also have national healthcare services. We connect to a govn hub you have to be a public provider. They cannot connect to the hub, they have to connect somewhere else. We first connect to health care hub and then to the government hub. What we have is healthcare is a specific domain, we have personal data so we have all these search to have a level of assurance, at least for three four acronyms in some places. Government AD - 2,5 level of assurance. It claims to be 3. All the private keys are stored on the centralized server, OTP cards and they are generated by the same source. For this OTP and private key it’s not a factor. You get all of the OTPs in this form and you get another one. You will know if people have used your key in the past. We get prompted by the govn ID, it might be a chosen one or a default to your Social security number. The banking system is the same. The banks use 1st factor for login and 2 factor for transactions.

We can’t get a hardware token anymore because the technology is compromised.

Mads: you can get an electronic version of this.

K: Every Dane has this for the H.C. (healthcare) sector. They get something like this like a signature and then a key file which is stored inside of the ADs of the hospitals. The private SP if you have a doctor they can use their personal ID or they can have the same as hospital. They might have 6 of these OTP cards. Doctors can change the rules.

What we are looking into here is that all of these public SPs we want to have a IDP that are handled by the hospital and their level of assurance is called NSIS and if they reach NSIS 3 or above we can connect them to HC hub. We are building a HC federation.

Martin: you want to a higher level you go to IDP of a hospital.

K: Doctors login on their AD, they get a level of assurance 2 and the public SP has medical records for all Danes and it requires LoA 4 so what we are doing here, we don’t have LoA 4 we have 2,5 so what we have done is that we changed the law so it’s only enough for 3 so this national ID with legal identity or private identity then you can get access to this. We have highly sensible medical records that you can access with this card and password from your head. We have a new govn ID, 4 vendors have been approved but it’s not that much better. They are aiming at supporting different levels of assurance. We have some data that is exposed is quite sensitive. You could modify the data. We hope that the level will get higher.

Mads: New meta ID is actually to lower the LoA so it’s possible to login just with login and password. It would be easier for the citizen to log in. This is one way and the other way is to have it easier in the future, on the phone and you would get in.

The government ID is quite popular in Denmark. They have to establish the wrong one. M: We have a lot of companies that are using the govn ID.

Peter: If you are executing an action that is needed by law like HC insurance is allowed in Netherlands. M: I am not sure if that’s allowed in Denmark. We have the net login which is the IDP and a saml based login and then the authentication which is run by a private company. The banks have paid for them and then if you are a normal private company you have to pay 3 Danish krones per year for your identity. It’s not an SP, you are just using this weird authentication protocols and you are bound to the vendor. They have a centre for the new NEM login where they will have the commercial SPs but it’s not free for them to use. It’s going to be cost-price. 3 for the banks and 3 for others?

Christian: Because of the way how the previous vendor was structured, we have a lot of private companies that are not private because they are doing work for the public, they are hired by agreements with public HC. M: Can you put some SAML text on these lines? K: OIOSAML for gov hub, there is open source for java for it. On HC is also saml 2 and we have SUBprofile for the HC hub. Because we have a lot of extra attributes where you need to look into some other attributes, which have to be in place before we can do anything.

M: Is it all frontend based? K: It’s SOAP (?) mainly. We also have security services in between and because we have a lot of doctors acting on behalf of the citizens we need to have those identities sorted. There was a Liberty profile a couple of years ago for identity based services. WE have that in Denmark also. Also, the municipality hub is also SAML 2 but they don’t have a federation to gov hub but just a plugin. There is no connection between those two.

M: This is where all the citizens and local authorities when you need to connect to it, to get your kid to kindergarten, connected to municipality hub. They also have a hub for employees. Martin: What do you mean there is no real connection between the municipality and gov hub? You can login with the gov ID in the municipality. There is no SSO. There is no federation in between the government and SPs.

Mads: This is what we have. Wayf, IDPs and one of them is connected to this one. Then we have about 500 SPs, 300 are alone and 200 are from edugain.

Martin: if you draw it like this isn’t it just like another IDP Mads: but this is the difference between, this is SAML and we have small OD attributes.

Peter: how do data subjects know what IdP to choose? Mads: It depends on the context, they don’t use the gov link usually because some of the SPs are based on booting the identities at the university so either they can scope or we have the metadata. Peter: we are not allowed to process that social security number, SPs can also not use that and that’s the reason why we can’t use the government IDP.

K: We can use the IDP because we can come with the claim, we have the login id and then if they match then fine but we can’t get the Social security number if you are private.

M: You can get a penalty if you work on it. A lot of SPs that get it they are working for the public. Some of the universities have that umber as well. All of their library systems.

C: It’s just another hub for them. Nobody knows if they are going to wayf. It’s easier than going directly to them.

Peter: Do you also have a connection to eIDAS? M: the are working on it in the govn hub. They are working on it. It might even be an IDP by itself. This is the own IDP in its own federation so none of all these 500 systems none of them have a wayf so they will have to change. It would make sense to put it behind the govn hub. In my view they should make up new social security numbers, to know it’s not that permanent. I guess they said no you have to be aware and a foreign citizen. P: I think in the NE they will also generate a new social security number for people from the outside. M: If 300 people would login, we dont have enough space. The first two digits are for the year and it covers someone born in 1800. Another thing that we want to do is that there is a lot of metadata around her when we started a hub because it’s just between you and IDP and we started thinking of ourselves of doing two things. To collect metadata publish it and helping the hub and in the future two hubs. We have some ideas that we should make one big metadata for all of them so that we can say that this public SP is accessible for some IDPs and from university if they have doctors that work at the university hospital.

Peter: How would you express that in the metadata? M: We do some local variant of libraries, it could be compiled into that but we have our own. You could be a member of a subfederation and then when we show the discovery and exchange messages we could be sure and if there is no overlap. If I go the discovery service from WAYF I will see select some of them previously, NEM ID is the public one and the local development IDP. If we are coming from an edugain SP then we look up all of ips and we get the whole list of edugain IPs. We have a very few IDPs and this is a special subfederation which is one SP and one app in demark which is called application portal which is for a client for master studies in Denmark. A simple app that looks bad and for every system they had an IDP. We have a similar environment. Still in the same ethernet and using the same IDP as everyone else.

You can see the federation they belong to if you look at the SP. They will be able to use all of the wayf IDPs and edugain IDPs.

We do it on behalf of all the IDPs, they can’t individually say yes or no unlike in Netherlands.

P: The users from all IDPs have access to that server. M: We have approved. I can show you the xml. We cannot have a response request from an IP that it wants to use an SP. We can either subtract someone from what they said or add some and every time we update the metadata we can put what they added and what we approved ourselves. Then you just publish it. Now it’s being pushed to our system. There is a link to the actual system, where a connection exists.

Possibly useful links: