The canton of Aargau relies on proven standards in eGovernment. By consistently pursuing a service-oriented, multi-layered architecture, the canton enables its citizens, administrative staff, institutions and third parties to use electronic administrative services via a central online portal. The Aargau e-government architecture, unique in its flexibility and modular expansion options, has received several awards from various committees. These include 3rd place as the most innovative eGovernment project in the 2014 international eGovernment competition. Since then, the canton of Aargau has continued to expand its pioneering role step by step – even beyond its own cantonal borders and federal structures.
E-Government infrastructure of the Canton of Aargau
Large construction projects require secure foundations
In 2012, the canton of Aargau launched its e-government offering in the form of a central portal with the launch of an online counter for electronic administrative services. The fact that the canton of Aargau is on the right track was confirmed by Gartner in a 2015 study, which considered the portal approach to be the most attractive option for making administrative services accessible to citizens via the internet. The Gartner analysts see the security infrastructure and, in particular, the choice of the right online credentials as critical success factors for the successful implementation of e-government portals. According to Gartner, credentials for accessing e-government services must be easy to obtain, easy to use and sufficiently secure.
The online counter of the Canton of Aargau is based on a broadly supported, stable foundation of a 7-layer architecture that relies on a modular design in all layers. Every single layer of the 7-layer architecture is important and helpful – including the complex IT security. The Canton of Aargau does not view the security layer as a necessary evil, but rather sees it as a central component for the successful expansion of its online services.
Security layer as a bridge for e-government
Security has played a key role in Aargau’s eGovernment infrastructure from the very beginning. Many of the milestones and celebrated successes of electronic services achieved in recent years are directly linked to the high level of flexibility in the security layer:
In addition to a web application firewall, which ensures the availability of online services and guarantees the integrity of applications and transaction data, access management is a particularly important part of the overall architecture. Located in the security layer with the USP Secure Entry Server®, it centrally handles authentication for all internal and external access to the online counter with the underlying specialist applications.
In the course of further development, services such as project rooms, document repositories and specialist processes such as the electronic naturalization process, the lottery approval process, etc. were connected for internal and external employees. Employees are authenticated from the internal workstation via Kerberos. For access from the Internet, authentication via SMS mTAN(multi-factor authentication) is also possible.
Cloud SSO & federation unleash e-government potential across organizations
With the integration of the ALSA school portal, the canton of Aargau broke new ground by integrating an external service into its e-government structure for the first time. Users of the school portal should be able to use their existing login. To this end, a new identity provider was also integrated with the new service.
Identity Broker for the next generation of e-government
In order to fully develop the potential in e-government, the Canton of Aargau decided to expand the modular security layer with a SAML proxy. The so-called “Identity Broker” from United Security Providers acts as a central hub for coordination between all identity providers and all service providers.
As a central hub, the Identity Broker takes over the authentication and authorization management of users and enables cross-domain single sign-on with extensive options (e.g. consent, transformation, concealment, provisioning)
The Identity Broker increases flexibility in two directions:
- New services can be added to the e-government offering quickly and in compliance with data protection regulations.
- When working with new partner institutions, the Aargau services are made easily accessible to a new group of users. They can use their familiar login data. The new identity provider is simply integrated into the identity broker (creation of trust relationships).
The Identity Broker (SAML Proxy) takes over the coordination between all Identity Providers and all Service Providers and offers a whole range of functionalities for a fine-grained adjustment to requirements in terms of authentication and data protection:
- Transformation: The identity broker acts as a “translator” between the identity provider and the service provider. If authentication to a service is carried out via an external identity provider, the identity broker transforms the identity attributes into a standardized form (e.g. e-mail, mail and email).
- Concealment: The Identity Broker can conceal identity attributes of users from the service provider (e.g. conceal UserID) or completely anonymize users from the service if required (data protection).
- Consent: The identity broker informs the user as soon as certain characteristics of their identity (attributes) are passed on to the service and obtains their consent to the transfer of their data.
- Provisioning: New users can be created in LDAP via an external service.
Single sign-on across all platforms
Thanks to the centralized authentication component, a single sign-on (SSO ) takes place across all available portals for which the user is authorized after a single successful login. This internal cloud SSO significantly increases user-friendliness and is an important component for the efficiency of processes in the heterogeneous service landscape.
Dynamic increase of quality levels in authentication
What would happen if a user wants to switch from a service with a low trust level to another service that requires a high quality of authentication within an active session? For example, if a user is only logged in with their username/password because they have obtained a lottery permit at the online counter and then – as they are already logged in – want to access their tax return?
The eCH association, which defines eGovernment standards for Switzerland, presents a quality model for electronic identities in the eCH0170 standard. The standard defines that the same must apply to virtual ID cards as to physical ID cards. An ID card must meet certain requirements in order to allow the quality of identification of its bearer to be adapted to the application scenario. The eCH0170 standard attaches great importance to electronic identification and defines four quality levels for the reliable identification of users in electronic administrative processes.
To this end, the canton of Aargau is constantly making new authentication and identification methods and products available as modular basic services within eGovernment. In the future, users should be able to dynamically increase the quality of authentication within the services offered in the portals and then gain access to services that require a higher quality of authentication.
My identity belongs to me! – Challenges in the area of identification
The biggest challenge remains the identification of users for services that allow access to sensitive data such as personal or financial data. According to the eCH0170 standard, this requires the highest of four quality levels for identification. This level of confidentiality comes into play when accessing a service that requires the highest level of confidentiality. A user should be physically identified at least once. This requires suitable methods. The means of authentication used to access such services must also meet the highest quality standards. Today there are a variety of options, but only SuisseID is legally binding at the highest level.
The aim of the Canton of Aargau is to remain as close as possible to its citizens and businesses with its electronic services in the future. With easily accessible services, the Canton of Aargau aims to offer users of its e-government services the greatest possible benefit and convenience. This is always in balance between requirements and legal framework conditions.
The expansion of authentication options and reliable user identification using electronic ID cards will enable limitless cloud single sign-on across all portals in the near future. However, this requires the highly fragmented identity landscape to be centralized or decentralized and homologated. A model with standardized interfaces that can be applied across all federal levels would accelerate development.