Implementation and Management Approach
The electronic authentication and recognised digital signature provided by the Citizen Card is possible through two IT platformsl: the Public Administration Interoperability Platform (iAP) and the Authentication Provider (FA).
Interoperability Platform (iAP):
The Public Administration Interoperability Platform provides, among other functionalities, robust mechanisms for the authentication and management of identities, facilitating secure access to public organisms and transactional control mechanisms that guarantees the quality of data during the use of electronic services, going beyond the central Gateway for electronic payment.
During the conception of the platform model, open standards imposed themselves as a strategic option, to ensure a greater level of interoperability. The adoption of an architecture devised for services for the implementation of complex systems with considerable dimensions, as is the case for the solutions for the integration of the Public Administration, ensures the levels of adaptability and adherence to the change possible to anticipate, leaving an open door for upcoming evolutions and improvements that might further raise.
This architectural typology allows for a sustained framing, supported by a set of rules and practices that define the availability of relevant functions, perceived as services, correctly measured to the users. The services are made available through a single interface format, based on standards, while hiding the implementation mechanics.
The Interoperability platform is supported by a set of components that are devised to accomplish its objectives. Its architecture can be decomposed in several acting areas:1. Core Components – aggregate the central components to the use of the platform as a support tool for the integration and data services. Adapting components to the several entities’ systems, internal message processing pipelines, orchestration manager and Identities Federation are also included in this area.
2. Transversal Components – ranging all the Interoperability Platform areas and responsible for the functionalities of security and data privacy, registration and treatment of exceptions, as well as global monitoring.
3. iAP – Web Interface – it’s the visible layer of the interoperability and service sharing in the Public Administration. They provide an integrated image of information and functionalities available for the public entities. The following components belong to this domain:
o Service Directory – responsible for listing and managing the electronic services available through the Platform;
o Management Interface – allows for the Public Administration functions of management and monitoring of the platform, specific to the entities they represent. Makes possible to access services management, as well as the monitoring and operational management of services in use.
o iAP Website – visible interface from outside the platform, with information referring to services and functionalities, materialised on the website www.iap.gov.pt.
4. External Systems – they work independently, but intimately coupled with the domain of the Interoperability Platform. They are subsystems that have specific functionalities, but basilar to the functioning of the complete architecture, acting as supporting features with added value. The following components belong to this domain:
o @gov.pt Authentication – set of components that provide electronic authentication mechanisms to the Public Administration (and private entities upon request), ensuring the following functionalities:
1. Authentication Provider – will be described in the following section.
2. Authentication for EU Citizens – providing the access to services of the Portuguese Public Administration to citizens of other member-states and the access of Portuguese citizens to electronic services of other EU Member-States.
3. Attributes Provider – allows fobtaining attributes, with express citizen authorisation, for the execution of electronic services over the internet.
4. Single Sign-On – persistent citizen authentication while he navigates different Public Administration electronic services.
o Payment Platform and SMS Gateway – external systems, already existing and in productive use, that are to be made available on a integrated way and potentiated by the Interoperability Platform, specially with the use of composed services or in entirely orchestrated processes.
Authentication Provider (AP):
The Authentication Provider follows from the necessity of uniquely identifying a Citizen Card bearer (and user of services) to the websites of each Organism, achieving respective sectoral identification. This solution has the objective of becoming the single authentication point for citizen when regarding the public administration and even private organizations. The Authentication Provider expects therefore, to facilitate and accelerate the accession process and use of the citizen card for authentication of the citizen towards public services.
The following interactions can be depicted in the following diagram:
1. The citizen tries to access the private area of a Organisation’s portal, and to do so, he’s required to present his secure identities.
2. The Organisation’s Portal relays the authentication process and redirects the Citizen to the Authentication Provider (AP), together with an authentication request digitally signed.
3. The AP will validate the request for the citizen’s credentials and demand the PIN. During this process, the AP will follow some internal operations:
o Validate the citizen’s credentials using the Citizen Card public-key infrastructure (PKI), via the Online Certificate Status Protocol (OCSP).
o Obtain the attributes requested from the different qualified attribute providers, through the Interoperability Platform. This process can include gathering data from the Identity Federation or other Organizations.
4. The identity and attributes of the Citizen are validated and digitally signed by the AP that will redirect the Citizen to the portal of the original Organization. The Organisation will, then, validate and use the data accordingly.