Tuesday, 3 June 2008

Unity in multiple EU eIDs

On itprofessional.be [Dutch] I read an article about a European project to link the systems of all the member states of the EU. The result of this project will be that every citizin of a European country can use his/her eID for eGovernment solutions of a specific European country. The project is called Secure Identity Across Borders Linked and it's created by a consortium of 13 member states and Iceland.

Europe doens't want to force a unified system of eIDs but instead wants an extra layer for this to happen. The first thing that popped into my head was: Federation.

Federation can be the(and I think is the best) solution to this problem. This because it doesn't matter for the Service Provider how the authentication is done by the Identity Provider.
For example, if I would want to make use of and eGov application in the Netherlands, they could use Federation to find my Identity Provider. In my case this would be Belgium. The Netherlands redirects me to the login page of the Identity Provider Belgium. Here I can login with my eID. When the login is succesful I will be redirected back to the eGov application at the Netherlands with an assertion that I'm Stefan and I'm an authenticated Belgian :). Because of the trust relation between the member states of the EU (including Belgium and the Netherlands) the Netherlands will trust this assertion and threat me as an authenticated user.

If they choose for federation then only the eGov applications need to be aware of (some of the) federation protocols. Every member state can use it's own eID login mechanism for authentication and just redirect every other user to his corresponding country (identity provider).


Sven said...

I like the idea of federation. I'm somehow wondering how a government official in one European country could allow you to use your own eID without being concerned about the proper reader for the card and without installing all the necessary middleware. If they can agree on that part, authorisation based on federation is indeed the way to go... Maybe we could help out by defining a standard for eID. And while we are at it... we could also make it safe.

Stefan said...

Sven, I think federation solves this problem. If I build an e-gov application I only need to be aware of one eID system, that of the country that I'm working for. For all the other eID systems we implement Federation. This results in the redirecting of the user to a login page from his country where he can login with his own eID. Of course this is only possible if there is some kind of trust relation between the countries and there systems, but that's what federation is about... trust!