Tuesday, April 14, 2015

Italia Login as Citizen Life Management Platform

Italia Login promises to be the most innovative government platform for citizens, also called “the home for citizens”. This project is part of a set of accelerator initiatives to support Italy’s digital growth for the next 5 years.
Italia Login will provide an integrated API platform and supporting technologies which allow better joint participation of the public and private sectors for developing added value services for citizens and enterprises.
The following diagram shows a high-level model of the planned Italia Login interactions (extracted from these governo.it slide).

Citizens will log in to Italia Login using their digital identity (managed by an Identity Provider that is compliant with SPID — the Public System for digital identity), and then they can have access to any apps, provided by the public and private sector, based on their profile.

From a design standpoint, Italia Login shows many similarities with the Life Management Platform concept introduced by Kuppinger-Cole's advisory note (see details here). Life Management Platform has the goal of allowing individuals to consolidate all relevant online data from their lives, and provides tools to manage the essential information of every person’s life and making it usable for other parties.

Consider the following use case:
A citizen needs to enroll his child, through an online service, to an elementary school that facilitates the selection of subsidized school meals in case of parents who are eligible for the subsidy.
The enrollment process requires a citizen's personal details and documents about the situations which must be released by another agency (in this case, the National Social Insurance Agency).
The document attesting to the parents’ economic situation is necessary to demonstrate the eligibility for access to the subsidy.
The main requirements for this use case are the ability to centralize the access to the distributed resources (personal financial details) and enable a data sharing mechanism between the producer of the details (the agency) and the service consumer (the school enrollment application).
Italia Login can provide an essential platform for personal data sharing among distributed online services with the goal of supporting an advanced online service for citizens.

Challenges to mitigate risks
Unlocking the value of personal data in a decentralized and distributed system network requires new approaches for protection and security, accountability, and rights and responsibilities for managing user data, which can be summarized as follows:
  • Provide a new approach to protect and secure decentralized and distributed resources. 
  • Provide the ability to know who has data about you, and where the data is located. 
  • Provide a new approach that helps individuals understand how and when data is collected. 
  • Empower individuals more effectively and efficiently. 

Applying the User-Managed Access (UMA) model to the Italia Login Platform
User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policies.

UMA provides these functions to empower the individual to make choices regarding control and access of their data.

The following scenario shows how UMA can be applied to address the challenges and enable a citizen life management platform:
  1. The Citizen log in (using SPID credential) at the resource server, which expose the resource/API to access the “Financial Status”. 
  2. The Citizen decides to share (using a special button at the resource server) the resource with the Italia Login Platform, enabling a delegated authorization for the resource. 
  3. The resource “Financial Status” is now under the control of the Citizen at the Italia Login platform as “protected resource” and any attempt to access to the resource by an autonomous third third app must be authorized by the user, without the need to share any credentials. 
  4. Italia Login, providing an application and API ecosystem, allows to third-party (i.e. Elementary School App) to access remote resource (i.e. “Financial Status”) through the protected API. 
  5. At this point, the Enrollment process can be initialised by the Citizen, launching the Elementary School App, which starts requesting the consent to allow the app to access to the remote resource (Financial Status). 
  6. The Elementary School App acts as a Client for the remote resource, and it is able to access to the necessary information to apply for facilitated condition, based on the Citizen’s Financial Status. 
  7. In order to create trust relationship between the Client and the Resource Server, the Client must be authorized by proofing specific “trusted claims”, leveraging SPID infrastructure (using OpenID Connect claims, or SAML-based attributes), and evaluated by the Italia Login platform acting as Authorization Server. 
As the above diagram shows, UMA can play a fundamental role to protect distributed resources with a centralized approach, leveraging the Identity ecosystem (SPID), where the user is able to control personal information within an API ecosystem enabling new opportunities based on the sharing economy paradigm.

About UMA
User-Managed Access Work Group at Kantara Initiative wiki page.
User-Managed Access (UMA) Version 1.0 has been Approved by unanimous Member support as a Kantara Initiative Recommendation, the highest level of technical standardization Kantara Initiative can award.
User-Managed Access awarded 2014 Best Innovation in Information Security Award from European Identity & Cloud Conference (EIC 2014, Munich).