1. 1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region

2. 2 The problem In the ICT world the security and the privacy are fundamental and it’s very important for the citizens to have access to their information in a secure way. For this reason it’s important to have not only a secure access system, like an electronic card, but an infrastructure that permits a secure authenticated access to all services offered by Public Administration

3. 3 Tuscany ITC infrastructure RTRT (Regional Telematic Network) An infrastructure that connects in a secure way all Public Administration in Tuscany CART (Applicative Cooperation of/for Tuscany Region) An infrastructure that permits interoperability of different applications A PKI An infrastructure for the emission of CNS

4. 4 ARPA Over this infrastructures Tuscany Region has built ARPA, a infrastructure that permits an unique authenticated and secure access point to all services offered by Tuscany Public Administration

5. 5 An infrastructure that permits : Authentication and identification in a secure way using an electronic card (CIE or CNS) Role or qualify verification and moreover offers A personalized desktop with all available services offered by P.A. according to the identity user and his roles ARPA

6. 6 The architectural model

7. 7 Portal Area : secure access to services based on digital certificates Role Manager Area : this component manages the right link between user and his roles Services Area : Available services according to the credentials of the user The architectural model

8. 8 The role verification takes place inquiring one or more external data sources which are distributed on several organizations (role certification providers) The role certification providers (RCP) offer authenticated access to data sources in order to verify roles and associated attributes All the above informations builds the digital user credentials, according to established rules, (a kind of role certificate) necessary to access to the services Role certification providers

9. 9 According to e-government specifications Tuscany Region intends to inteoperate with other public administration services according to federate digital identity. In this scenario the problem is: a domain of a public administration intends to make available its services to another domain. How does the first domain identify the users of the other external domain? With the identity federation the server domain trusts in the process by which the other external client domain has generated the user digital credentials. It trusts in this process as it would be its own (domain’s trust). Moreover if the services access is restricted to a particular class of users based on their role the mutual trust includes also the role certification process. Identity federation

10. 10 In this scenario Tuscany Region with ARPA acts as: Identity and attribute provider for the other trusted domains Service provider: it receives users digital credentials created by federated trusted domains and it uses them for services access Role of tuscany Region

11. 11 Business agreements between Tuscany Region and other Public Administration to set courses of actions and responsability about delivering services using a federated model Use of public key cryptographic systems to warrant authenticity, integrity and confidentiality of identity transactions. Use of standard (SAML) Federation

12. 12 Increasing the access to its services Having an infrastructure to verify the roles in a dynamic way Mantaining control of policy access to its services Public Administration benefits

13. 13 Unique access identification Having an unique desktop with all available services offered by Public Administration Users benefits

14. 14 @ Internet 1. Authentication by electronic card Federations of secure portals 2.Role assignment 3.Send user credentials to the applications

15. 15 Thanks a lot for the invitation and for the kind attention Laura Castellani – laura.castellani@regione.toscana.it