Policy Context and Legal Framework

The EasyLog-in initiative was taken as an action to incorporate the visions of the Danish Digitalization Strategy 2007-2010, through creating better digital service to the citizens, increase efficiency and strengthen cross-public cooperation.

A seamless sector and effective management of the increase in numbers of public digital services, makes the establishment of a cross-governmental initiative advantageous. The initiative aims to establish a universal solution with multiple authorities and suppliers to achieve greater flexibility.

The EasyLog-in development is based in the Identity and Access Management (IAM) Organisation (Brugerstyringssekretariatet) under the Danish Agency for Governmental Management. The IAM Organisation is governed by a Steering Committee, consisting of representatives from national authorities at the state, regions and municipal level.

The IAM Organisation develops common solutions and policies for identity and access management in Denmark. The aim is to make the digital public Denmark safe and lighten the infrastructure investment for public authorities, while providing better service to citizens.

The first results of the IAM Organisation’s initiatives are the SSO solution EasyLog-in, where public authorities can be connected to and utilize the common log-in function. In the first phase EasyLog-in is citizen-oriented, but the vision is that the EasyLog-in in time will be used as SSO in the public officials’ workflows. Public officials’ will only need to log-in once in order to access all internal public data – according to their user-profile.

Implementation and Management Approach

Technical Infrastructure: The EasyLog-in solution is built on top of established technical components; Digital Signature and SAML 2.0.

• 
  
  Digital Signature: EasyLog-in uses the national PKI (Public Key Infrastructure) Digital Signature (OCES1), which provide secure identification at a Liberty Alliance level 3, through mapping user log-in with either their Social Security Number (CPR) or for business, with the Central Business Register number (CVR). The Digital Signature has been in operation since 2004, and is widely diffused as a secure identification key standard both in the public and private sector.
  
  


• 
  
  International Standard: The EasyLog-in solution is based on the international standard SAML 2.0, which is also made a public standard in Denmark. In the development process several open source SAML2.0 integration toolkits were developed: .NET, .JAVA and .PHP, and made freely available on the public open source repository: www.softwareborsen.dk. The.NET, .JAVA and .PHP components support the cross-public SSO in relation to citizens - and in time - public officials.
  
  

The federation and guidelines: When the public authorities adapt their services to the EasyLog-in, they agree to be a part of the EasyLog-in federation. The EasyLog-in federation is the collectives of public authorities, which are connected to EasyLog-in. The federation is based on a joint agreement and adherence to common levels of safety, technical policies and legal agreements, and a common set of guidelines and standards for transfer of user identities and entitlements across the infrastructure.

Strategic Partnership: In the realization of EasyLog-in a key partnership is the cooperation with the National IT and Telecom Agency. The technical knowledge and expertise provided by the National IT and Telecom Agency has been, and still is, crucial for the continuous development and success of EasyLog-in as a value adding solution.

The adoption of the EasyLog-in was made very feasible, due to the use of the already established national PKI, Digital Signature. The cooperation with the Centre for Digital Signature, under the National IT and Telecom Agency, has thereby been a major contributing factor to EasyLog-ins success.

An important partnership is with the Danish Tax Office (SKAT) and the Student Scholarship Foundation (SU). These two authorities had a prior infrastructure agreement and had both a large amount of regular users, why these two authorities where great candidates for pilots projects for EasyLog-in. The Danish Tax Authorities are the public authority with the highest number of active digital users, which made it crucial to have them as a part of the federation in order to make it attractive for other authorities to participate.

Further, Danish Tax Office (SKAT) is a part in the EasyLog-in tripartite cooperation. Here the Danish Agency for Governmental Management is the system owner, the Danish Tax Office is the operator and a private IT-company is the technical supplier.

In the implementation of EasyLog-in a strategic partnership was made with the civil nationwide portal borger.dk. As borger.dk provides the citizens with one point of access to data across local, regional and national authorities, the opportunity to use SSO was important for the success of borger.dk. The partnership made identification of key stakeholders possible and opened up for the first promotion of solution to both private and public stakeholders.

Technology solution

The central identity provider uses PingFederate and is operated by the Danish Tax Office (SKAT), and was deployed into production in mid-2008. As of start-June 2009, there are 22 distinct services connected - some using PingFederate, others using other open source SAML-compliant solutions provided by the Danish government.

The Danish IdM system, EasyLog-in, is based on the standard SAML 2.0. The Danish SAML 2.0 profile is called OIOSAML 2.0. The EasyLog-in system issues a ticket - a SAML token - as proof of user identity. This ticket is then "presented" to the service the user wants access to. Based on the issued ticket the service provider (public authority) gives access to the services. As the services and portals in the SAML-federation must support the SAML 2.0 standard, the users get SSO access to the services across the federation.

In order for the public authorities to connect to EasyLog-in, they need to adapt their service to the SAML2.0 standard – either through commercial software or open source software. In order to encourage EasyLog-in adoption among various services, the IAM Organisation developed SAML2.0 integration toolkits on several platforms including, NET, .JAVA and .PHP and made them available on the public open source repository Softwarebørsen: www.softwareborsen.dk . The software component contains implementation reference and a toolbox based on the open SAML 2.0 standard, which is used to establish integration of service to a service provider (public authority) to EasyLog-in.

The choice of technology made rapid deployment of service into production possible (3 month pilot - 6 months total development time). Further, the standards-compliant solutions means new services can be rapidly added to the federation. And lastly, the choice of technology creates leverages in relation to the existing public investment in the Digital Signature.

Impact

As more public authorities adapt and implement EasyLog-in as their main log-in solution, the number of logins decreases for the citizen. Hence, EasyLog-in’s value increases proportionally with the number of services that adapt the log-in solution.

The long term vision is to integrate EasyLog-in as a nationwide SSO solution internally in the public sector. This will have a great impact on efficiency, since it will decrease the numbers of times a public official has to log-in to different systems – as there will only be one log-in – one access.

But the current benefits and impacts can be outlined as followed:

Citizens: From the citizens' point of view the use of EasyLog-in allows an easier and simpler access to public services. Moreover, the architecture behind EasyLog-in creates an ability to integrate solutions across user flows, which is the case with the borger.dk portal. Thereby, the main benefit for the user is the seamless public digital services.

A great benefit and value for both citizens and the public authorities, is that using Digital Signature creates a greater assurance that access is given to the right person. Through the adaption EasyLog-in the diffusion of the Digital Signature is strengthened and supported, as EasyLog-in only support the Digital Signature as key.

Public authorities: From a public authority approach the advantage is that a common public infrastructure for log-in, makes it easy and simple to add new services and it can be done cheaply. The authorities do not have to develop, maintain and operate the individual log-in solution. While in the short term there may be costs to switch to EasyLog-in, there will be long-term savings, since new services will be aligned with EasyLog-in, and that services will be designed to exploit the benefits of having common components.

A research done by the Danish Agency for Governmental Management and the National IT and Telecom Agency in the spring of 2009 showed that EasyLog-in as a common public log-in component, has created greater transparency in the market, which makes it more difficult for individual providers to charge high prices for their log-in functionalities. This is especially important in a market where several large IT-suppliers nearly have monopoly on the different type of services the municipalities or the state provides to the citizens.

Suppliers: As EasyLog-in is a centralized solution, using the solution means that the IT-supplier on a given digital service has no operation and maintenance of log-in feature of the service solution. Hence the operation is moved away from the IT-supplier to the common public solution EasyLog-in.

EasyLog-in creates uniformity in the customer segment, as the same guidelines and standards are applicable to all public institutions. This implies that the solutions delivered to the public will be using the same technical and legal standards, and the needs are thereby easier to cater to.

From a long term perspective, EasyLog-in will makes it easier to build on already acquired experience. Further, several suppliers reported in the research done in the spring 2009 that the adaption process was optimized from the first adaption of EasyLog-in to the second, as a lot of time was saved due to prior acquired experiences.

Track record of sharing

Through the last couple of years the people involved in the development of the EasyLog-in solution have participated in a number of national and international forums. This has opened up for continuously expert evaluations of the solution, as well as sharing of learning points. This is the some of the forums:

February 2007: RSA Security Conference 2007, San Francisco, CA.

Participation Panel on "SAML 2.0 standard-of-choice in the Public Sector", with representatives from British authorities and the governments of the USA, Finland and Denmark. EasyLog-in was discussed.



March 2007: Liberty Workshop to Directorate of Public Roads Office, Oslo, Norway.

Presentation of the Danish initiatives within coherent user management including EasyLog-in.



October 2007: Burton Group Catalyst Conference, Barcelona, Spain.

Speaker on "A Review of the Danish Public Sector Federation” and participation in the panel on user management protocols.

April 2008: RSA Security Conference 2008, San Francisco, CA.

Participation in the panel on "Driving Trusted Federation" where NemLog-in was also discussed.



Summer 2008: Documentation of the EasyLog-in solution in the Liberty Alliance International case study - available at this link: http://www.projectliberty.org/liberty/content/download/4301/28788/file/denmark_libertycasestudy6.08.pdf

November 2008: IAM Liberty Day, Tokyo, Japan. Speaker on "eGovernment federation in Denmark".

November 2008: European Open Source Repository Workshop, Brussels, Belgium.

Speaker on the free OIOSAML toolboxes that can be used to connect to EasyLog-in.

March 2009: IT Architecture Conference 2009, Århus, Denmark. Speaker on “User management - easy and simple”.

June 2009: eema / OASIS - The European e-Identity Management Conference, London, UK.

Speaker on "Lowering standards implementation costs through global collaboration - The eGov SAML 2.0 profile".

January 2010: 600Minuted Public IT Conference, Copenhagen, Denmark. Participation as Chairman.

Lessons learnt

When EasyLog-in was launched it was optional for the public authorities whether they wanted to adapt their digital services to the EasyLog-in solution or not. Therefore it was important to create a solution that was attractive both when it came to the technical solution and in terms economic investment.

Technical aspects: In order to create a flexible and attractive solution it was built on established standards, such as SAML2.0. This accommodates that the adaption process becomes as easy as possible for the IT-suppliers. Also an OIOSAML.NET was created to lighten the adaption process and create technical flexibility.

Economic aspects: A payment model was created that ensured that the public authorities could be connected to EasyLog-in without any fees. Thereby the only cost that incurred to the public authorities is their own project management and potentially IT-supplier cost (in the municipal sector most suppliers do not charge separate fees for the EasyLog-in due to the small amount pr. municipal, an average of 200 Euros pr. municipal).

Involvement: Due to the solutions high technical complexity, it has proven to be a good idea to involve IT-suppliers early in the process. Because of this involvement the IT-suppliers have not only been quickly to adapt their product portfolio to include EasyLog-in, but have also been active ambassadors and promoted the solution to the different public authorities.