Open
Portal Guard
Overview
Open Portal Guard protects the sensitive services of your portal
through a
- single-sign-on authentication system that can use
- username/password (for legacy reasons)
- X.509 certificates on file or various smartcards
- centralized declarative access control
In support of manageability, it further
- off-loads the CPU-intensive SSL-processing from the application
servers to a massively scalable, parallel array of stateless gate keeper
hosts
- maps the logical URLs visible to users to physical URLs on a
protected internal network to facilitate to:
- integrate multiple (potentially parallel) application servers
behind a single portal address
- hide implementation choices behind long-term stable,
technology-neutral URLs
- allow for transparent physical changes such as hardware
upgrades, addition of hosts for increased traffic, migration of
implementation technologies.
Development Philosophy
Open Portal Guard uses existing and proven standards as much as
possible. This includes:
- SSL/TSL for channel security and authentication of both client
and server
- the API (but not mechanism) of HTTP Basic authentication towards
application servers and applications
The implementation reuses as much existing and proven open source
software as possible. This includes:
- Apache and many of its modules such as mod-ssl, mod-proxy,
mod-rewrite
- mod-python for rapid prototyping and easily extensible
implementation
Features
Among the planned features are:
- garantee of secure channel via standard and proven TLS/SSL
- use of standard method for authentication (SSL handshake with
client certh auth as supported by all major browsers)
- support of multiple authentication tokens at various levels of
security (username/pw to strong authentication with smartcard)
- easily extensible for new token types
- a signle person can have several tokens with different IDs
(username, CN in certificates) that all map to a single "principal"
that uniquely identifies the person.
- specification of minimal level of authentication security for
various URL-patterns
- single-sign-on for a single domain
- maximal transparency through persistence of request data
during login
- role based access control modeled as extensible superset of
J2EE's declarative access control but independent of technology used
for application server.
- centralization of access policy, easy to specify by
non-programmers (delarative), technology independent, based on logical
URLs
- massively scalable through the use of a parallel array of
stateless "gate keepers" that connect the public internet to a secured
internal network that contains multiple application servers
- off-loading of CPU-intensive ssl-processing from application
servers to parallel array
- low total cost of ownership through the possibility of deploying
the array of gate keepers on diskless embedded systems in a Single
Sistem Image approach that centralizes all software installation and
management.
- no limitation of technology of application servers used,
standard http as only requirement
- seamless integration of multiple application servers of
potentially varying technology through URL-rewriting
- hiding of implementation detail in URLs to provide long-term
stable logical URLs (through URL-rewriting)
- transparent maintenance, upgrades, migrations through
URL-rewriting
Origin and Purpose
The Open Portal Guard project was initiated by the Town of Grosseto, Tuscany,
Italy, to provide secure e-government services for citizens using one
of the official national smartcards for authentication:
- the Electronic ID Card (Carta
d'Identità Elettronica or CIE) by the Ministry of the
Interior and issued by Towns
- the National Service Card (Carta
Nazionale dei Servizi or CNS) by the Ministry of Innovation and
Technology that is issued by regional governments (including Lombardia,
Lazio, Tuscany) and others.
The Town of Grosseto has chosen an open source approach for various
reasons including:
- gain hands on experience with open source in a limited domain to
potentially extend the approach to other areas in the future
- amplify its internal expertese and resources; improve the
quality of the product by using a network effect and peer-review
- guarantee long term sustainability of the product
- find a sustainable approach to continuing its track record of
internal development activities (that have resulted in an exceptional
levels of system integration, use value, and cost-effectiveness) while
avoiding the excessive burden of ivory tower developments managed in
isolation.
- contribute to the rapid spread of e-government technology in
Italy (and beyond) and to aid the identification and spread of best
practise solutions
- promote increased exchange and collaboration among public
administrations
Grosseto is thus seeking collaboration with:
- other local government agencies in Italy
- public administration in general in Italy and Europe
- SMEs and technology providers who can integrate the product in
their commercial offerings
- policy makers in the IT sector
- academia
A long term interest of Grosseto is to experiment new ways of
collaboration between Public Administration and the private sector and
how to build up an economically viable market for open source products
for public administration.
To participate or know more, please contact Bud P Bruegger or
subscribe Mailing List.