EasyLog-in (ELI)

Published on: 09/06/2009
Document

The case owners: EasyLog-in is the world first cross-governmental Single Sign-On (SSO) solution. Single sign-on makes it possible for a user to log-in once and gain access to all systems without being prompted to log in again at each of them. EasyLog-in makes it possible for SSO on across multiple public digital services, ranging from local services to national services.

EasyLog-in handles on average 10.000 unique users pr. day. The system peaked in the spring 2009 with 400.000 logins and 110.000 unique users during one day – this should be seen in relation to the size of the Danish adult population of 4.2 million people.

This unique log-in solution has been developed and commissioned by the Danish Agency for Governmental Management under the Ministry of Finance, in corporation with the National IT and Telecom Agency. The solution is a one of the milestones of the Danish E-government strategy 2007-2010.

EasyLog-in is based on international standards, the functionality is built on the already existing infrastructure of the Public Key Infrastructure (PKI) Digital Signature (www.digitalsignatur.dk), that provide citizens, public authorities and business with secure digital identification. To describe the two functionalities through a metaphor; the Digital Signature is the key, where EasyLog-in is the keyhole.

Today the EasyLog-in infrastructure is implemented in 22 cross-governmental digital services, which the citizens can access through SSO. As a part of the Danish E-government strategy, it is recommended that EasyLog-in is made mandatory as the only authentication for all nationwide citizen-oriented digital services that requires secure identification by 2010.

Why the case was launched and what it sets out to do: In 2008 borger.dk, a civil portal that gives access to cross-governmental services was launched. When borger.dk was launched it was crucial to have a log-in solution that accommodated SSO. However, EasyLog-in is not restricted to borger.dk, but is adapted across multiple public digital services. The vision is that EasyLog-in in time will provide citizens with SSO to all public digital national services by 2010.

Further, it is recommended that the EasyLog-in solution in time will be developed to include SSO for public officials. On a long term basis EasyLog-in could be used by companies, as the solution is technically probed for private sector use.

The benefits and impacts: EasyLog-in is the first solution that offers an identity-based access to cross-public services and the ability of system-to-system communication in Europe. An example of EasyLog-in’s impact on the users workflow is when a citizen access my page at ww.borger.dk, the citizen can access their own individual data collected through multiple public authorities, including tax services and the local municipalities. Thereby, EasyLog-in gives the citizens easy access to public services because they avoid logging-in several times.

For the public authorities the EasyLog-in solution, creates an opportunity to use and offer a single log-in component, instead of developing and run several log-in service. This makes it cheaper, simpler and faster to create new identity-based services on borger.dk and other digital services.

The lessons learnt: It is not yet mandatory for public authorities to adapt their digital services to EasyLog-in. This makes it extremely important to create a solution that is attractive to the public authorities and relatively easy to implement.To ensure this the EasyLog-in solution builds on established standards and has created a payment model where no adaption fees incur the public authorities.

Furthermore, it is central to involve key decision-makers such as representatives from the public authorities and their IT-suppliers. Through workshops and presentations, stakeholders have been involved in the process, and in particular the IT-suppliers have been used as ambassadors of the solution.

Policy Context

The EasyLog-in initiative was taken as an action to incorporate the visions of the Danish Digitalization Strategy 2007-2010, through creating better digital service to the citizens, increase efficiency and strengthen cross-public cooperation.

A seamless sector and effective management of the increase in numbers of public digital services, makes the establishment of a cross-governmental initiative advantageous. The initiative aims to establish a universal solution with multiple authorities and suppliers to achieve greater flexibility.

The EasyLog-in development is based in the Identity and Access Management (IAM) Organisation (Brugerstyringssekretariatet) under the Danish Agency for Governmental Management. The IAM Organisation is governed by a Steering Committee, consisting of representatives from national authorities at the state, regions and municipal level.

The IAM Organisation develops common solutions and policies for identity and access management in Denmark. The aim is to make the digital public Denmark safe and lighten the infrastructure investment for public authorities, while providing better service to citizens.

The first results of the IAM Organisation’s initiatives are the SSO solution EasyLog-in, where public authorities can be connected to and utilize the common log-in function. In the first phase EasyLog-in is citizen-oriented, but the vision is that the EasyLog-in in time will be used as SSO in the public officials’ workflows. Public officials’ will only need to log-in once in order to access all internal public data – according to their user-profile.

Description of target users and groups

EasyLog-in’s primary target groups is the public authorities. These are local authorities (e.g. municipalities), regional authorities (e.g. healthcare organisations) and national authorities (e.g. ministries) that provide citizen-oriented digital services with log-in functions.

Local authorities: there are 98 municipalities in Denmark, offering a large amount of different digital services at their own websites – some of which demands secure identity log-ins. EasyLog-in ties these services together by the means of one point user identification.

Regional authorities: there are 5 regional organisations in Denmark. One of the regions primary functions is the management and operation of the Danish healthcare system and hospitals. The 5 regions have in cooperation created a common portal (www.sundhed.dk) with citizen-oriented digital services – which demand secure identity log-in.

National authorities: there are 19 ministries in Denmark, each with several sub-organisations and agencies. Collectively these offer different citizen-oriented digital services – some of which demands secure identity log-in.

There is currently an increase in new services digitally offered to the citizens. This increase implies that citizens and public official is spending more time on log-in and –out of the different systems, and a need for a common log-in solution is emerging.

Needs related to citizens:

  • Easy access to public service
  • Easy access to own individual information

The target groups needs:

  • A solution that is transferrable from one solution to another
  • A central operation, instead of small separate operations
  • A common open concept for the public authorities

Description of the way to implement the initiative

Technical Infrastructure: The EasyLog-in solution is built on top of established technical components; Digital Signature and SAML 2.0.

  • Digital Signature: EasyLog-in uses the national PKI (Public Key Infrastructure) Digital Signature (OCES1), which provide secure identification at a Liberty Alliance level 3, through mapping user log-in with either their Social Security Number (CPR) or for business, with the Central Business Register number (CVR). The Digital Signature has been in operation since 2004, and is widely diffused as a secure identification key standard both in the public and private sector.
  • International Standard: The EasyLog-in solution is based on the international standard SAML 2.0, which is also made a public standard in Denmark. In the development process several open source SAML2.0 integration toolkits were developed: .NET, .JAVA and .PHP, and made freely available on the public open source repository: www.softwareborsen.dk. The.NET, .JAVA and .PHP components support the cross-public SSO in relation to citizens - and in time - public officials.

The federation and guidelines: When the public authorities adapt their services to the EasyLog-in, they agree to be a part of the EasyLog-in federation. The EasyLog-in federation is the collectives of public authorities, which are connected to EasyLog-in. The federation is based on a joint agreement and adherence to common levels of safety, technical policies and legal agreements, and a common set of guidelines and standards for transfer of user identities and entitlements across the infrastructure.

Strategic Partnership: In the realization of EasyLog-in a key partnership is the cooperation with the National IT and Telecom Agency. The technical knowledge and expertise provided by the National IT and Telecom Agency has been, and still is, crucial for the continuous development and success of EasyLog-in as a value adding solution.

The adoption of the EasyLog-in was made very feasible, due to the use of the already established national PKI, Digital Signature. The cooperation with the Centre for Digital Signature, under the National IT and Telecom Agency, has thereby been a major contributing factor to EasyLog-ins success.

An important partnership is with the Danish Tax Office (SKAT) and the Student Scholarship Foundation (SU). These two authorities had a prior infrastructure agreement and had both a large amount of regular users, why these two authorities where great candidates for pilots projects for EasyLog-in. The Danish Tax Authorities are the public authority with the highest number of active digital users, which made it crucial to have them as a part of the federation in order to make it attractive for other authorities to participate.

Further, Danish Tax Office (SKAT) is a part in the EasyLog-in tripartite cooperation. Here the Danish Agency for Governmental Management is the system owner, the Danish Tax Office is the operator and a private IT-company is the technical supplier.

In the implementation of EasyLog-in a strategic partnership was made with the civil nationwide portal borger.dk. As borger.dk provides the citizens with one point of access to data across local, regional and national authorities, the opportunity to use SSO was important for the success of borger.dk. The partnership made identification of key stakeholders possible and opened up for the first promotion of solution to both private and public stakeholders.

Technology solution

The central identity provider uses PingFederate and is operated by the Danish Tax Office (SKAT), and was deployed into production in mid-2008. As of start-June 2009, there are 22 distinct services connected - some using PingFederate, others using other open source SAML-compliant solutions provided by the Danish government.

The Danish IdM system, EasyLog-in, is based on the standard SAML 2.0. The Danish SAML 2.0 profile is called OIOSAML 2.0. The EasyLog-in system issues a ticket - a SAML token - as proof of user identity. This ticket is then "presented" to the service the user wants access to. Based on the issued ticket the service provider (public authority) gives access to the services. As the services and portals in the SAML-federation must support the SAML 2.0 standard, the users get SSO access to the services across the federation.

In order for the public authorities to connect to EasyLog-in, they need to adapt their service to the SAML2.0 standard – either through commercial software or open source software. In order to encourage EasyLog-in adoption among various services, the IAM Organisation developed SAML2.0 integration toolkits on several platforms including, NET, .JAVA and .PHP and made them available on the public open source repository Softwarebørsen: www.softwareborsen.dk . The software component contains implementation reference and a toolbox based on the open SAML 2.0 standard, which is used to establish integration of service to a service provider (public authority) to EasyLog-in.

The choice of technology made rapid deployment of service into production possible (3 month pilot - 6 months total development time). Further, the standards-compliant solutions means new services can be rapidly added to the federation. And lastly, the choice of technology creates leverages in relation to the existing public investment in the Digital Signature.

Technology choice: Standards-based technology, Mainly (or only) open standards, Open source software

Main results, benefits and impacts

As more public authorities adapt and implement EasyLog-in as their main log-in solution, the number of logins decreases for the citizen. Hence, EasyLog-in’s value increases proportionally with the number of services that adapt the log-in solution.

The long term vision is to integrate EasyLog-in as a nationwide SSO solution internally in the public sector. This will have a great impact on efficiency, since it will decrease the numbers of times a public official has to log-in to different systems – as there will only be one log-in – one access.

But the current benefits and impacts can be outlined as followed:

Citizens: From the citizens' point of view the use of EasyLog-in allows an easier and simpler access to public services. Moreover, the architecture behind EasyLog-in creates an ability to integrate solutions across user flows, which is the case with the borger.dk portal. Thereby, the main benefit for the user is the seamless public digital services.

A great benefit and value for both citizens and the public authorities, is that using Digital Signature creates a greater assurance that access is given to the right person. Through the adaption EasyLog-in the diffusion of the Digital Signature is strengthened and supported, as EasyLog-in only support the Digital Signature as key.

Public authorities: From a public authority approach the advantage is that a common public infrastructure for log-in, makes it easy and simple to add new services and it can be done cheaply. The authorities do not have to develop, maintain and operate the individual log-in solution. While in the short term there may be costs to switch to EasyLog-in, there will be long-term savings, since new services will be aligned with EasyLog-in, and that services will be designed to exploit the benefits of having common components.

A research done by the Danish Agency for Governmental Management and the National IT and Telecom Agency in the spring of 2009 showed that EasyLog-in as a common public log-in component, has created greater transparency in the market, which makes it more difficult for individual providers to charge high prices for their log-in functionalities. This is especially important in a market where several large IT-suppliers nearly have monopoly on the different type of services the municipalities or the state provides to the citizens.

Suppliers: As EasyLog-in is a centralized solution, using the solution means that the IT-supplier on a given digital service has no operation and maintenance of log-in feature of the service solution. Hence the operation is moved away from the IT-supplier to the common public solution EasyLog-in.

EasyLog-in creates uniformity in the customer segment, as the same guidelines and standards are applicable to all public institutions. This implies that the solutions delivered to the public will be using the same technical and legal standards, and the needs are thereby easier to cater to.

From a long term perspective, EasyLog-in will makes it easier to build on already acquired experience. Further, several suppliers reported in the research done in the spring 2009 that the adaption process was optimized from the first adaption of EasyLog-in to the second, as a lot of time was saved due to prior acquired experiences.

Return on investment

Return on investment: Not applicable / Not available

Track record of sharing

Through the last couple of years the people involved in the development of the EasyLog-in solution have participated in a number of national and international forums. This has opened up for continuously expert evaluations of the solution, as well as sharing of learning points. This is the some of the forums:

February 2007: RSA Security Conference 2007, San Francisco, CA.
Participation Panel on "SAML 2.0 standard-of-choice in the Public Sector", with representatives from British authorities and the governments of the USA, Finland and Denmark. EasyLog-in was discussed.

March 2007: Liberty Workshop to Directorate of Public Roads Office, Oslo, Norway.
Presentation of the Danish initiatives within coherent user management including EasyLog-in.

October 2007: Burton Group Catalyst Conference, Barcelona, Spain.
Speaker on "A Review of the Danish Public Sector Federation” and participation in the panel on user management protocols.

April 2008: RSA Security Conference 2008, San Francisco, CA.
Participation in the panel on "Driving Trusted Federation" where NemLog-in was also discussed.

Summer 2008: Documentation of the EasyLog-in solution in the Liberty Alliance International case study - available at this link: http://www.projectliberty.org/liberty/content/download/4301/28788/file/denmark_libertycasestudy6.08.pdf

November 2008: IAM Liberty Day, Tokyo, Japan. Speaker on "eGovernment federation in Denmark".

November 2008: European Open Source Repository Workshop, Brussels, Belgium.
Speaker on the free OIOSAML toolboxes that can be used to connect to EasyLog-in.

March 2009: IT Architecture Conference 2009, Århus, Denmark. Speaker on “User management - easy and simple”.

June 2009: eema / OASIS - The European e-Identity Management Conference, London, UK.
Speaker on "Lowering standards implementation costs through global collaboration - The eGov SAML 2.0 profile".

January 2010: 600Minuted Public IT Conference, Copenhagen, Denmark. Participation as Chairman.

Lessons learnt

When EasyLog-in was launched it was optional for the public authorities whether they wanted to adapt their digital services to the EasyLog-in solution or not. Therefore it was important to create a solution that was attractive both when it came to the technical solution and in terms economic investment.

Technical aspects: In order to create a flexible and attractive solution it was built on established standards, such as SAML2.0. This accommodates that the adaption process becomes as easy as possible for the IT-suppliers. Also an OIOSAML.NET was created to lighten the adaption process and create technical flexibility.

Economic aspects: A payment model was created that ensured that the public authorities could be connected to EasyLog-in without any fees. Thereby the only cost that incurred to the public authorities is their own project management and potentially IT-supplier cost (in the municipal sector most suppliers do not charge separate fees for the EasyLog-in due to the small amount pr. municipal, an average of 200 Euros pr. municipal).

Involvement: Due to the solutions high technical complexity, it has proven to be a good idea to involve IT-suppliers early in the process. Because of this involvement the IT-suppliers have not only been quickly to adapt their product portfolio to include EasyLog-in, but have also been active ambassadors and promoted the solution to the different public authorities.

Scope: Local (city or municipality), National, Regional (sub-national)