Components of Integration platform

Authorization Server

An OAuth 2.0 authorization server (AS) provides access tokens to the Service provider's applications so they can access the Web resources of Integration platform. The authorization server only issues access tokens in the following cases:

  • The owner of the Web resource authorizes the Service provider's application to access the resource.
  • The Service provider's application is the owner of the Web resource it is requesting to access.
  • The Service provider's application has administrative permissions for accessing the Web resource.

The authorization servers also validate the access tokens that the Service provider's applications include as an authorization method in the requests sent to the Integration platform services

Access Token
An access token is a credential that demonstrates authorization for performing one or more actions on a Web resource during a determined period of time.

Identity Provider

An identity provider (IdP) authenticates the identities of the end-users of a domain. OAuth 2.0 authorization servers use an IdP to authenticate a end-user prior to prompting the end-user to authorize an Service provider's application's access to their resources. When an authentication process finalizes, the end-user has a session in the identity provider containing their identity data, the level of authentication reached and details of the authentication process, e.g., the authentication methods used. With this information, the IdP can decide, in subsequent authentication processes whether to directly apply single sign-on or to execute additional authentication methods.

User Information Provider

The end-user information provider (UserInfo) is an OAuth 2.0 resource server that provides reliable information on the identity of the end-users authenticated by Integration platform.

Electronic Signature Provider

The electronic signature provider (eSigP) is an OAuth 2.0 resource server that provides reliable information on the signing identities of the end-users and access to digital signature generation using the keys for these identities. It also provides basic signing identity and signature device management services.

Access to the services of the eSigP is performed via a REST API. Authorization is performed by the authorization server via OAuth 2.0.

Signing Identity

A signing identity is a set of data handled by Integration platform for managing the selection and use of a specific signature key. Each signing identity contains information on the end-user who owns the key, the X.509 certificate associated to this key and the labels that allow them to be selected.

LVRTC manages a signing identities on a server. In this case the signature key is in an HSM that the eSigP has access to The signature key is in a Thales HSM device accredited as a qualified electronic signature/seal creation device and it requires submitting a password that only that HSM can validate, the signing identity corresponding to the key in question is said to be a qualified server signing identity.

Enabling Server Signing Identities

Enabling a server signing identity is how the signature key associated to the identity is made available for generating an electronic signature. The Electronic signature provider signing identity enabling mechanism requires authentication through the submission of an access token. This access token must have the authorization of the identity's owner for using the signature keys of all the server signing identities that the subject owns in a particular schema. If the server signing identity is a qualified signing identity, the following additional conditions must be met for it to be enabled:

  • The access token presented is associated to the server signing identity corresponding to the signature key. Thus, only this signing identity can be enabled; not any other that the owner has in the same schema.
  • The access token is associated to specific data. Thus, the enabling occurs only so this data can be signed; not for the signing of any other data.
  • The enabling password of the signature key that only the Thales HSM can validate is submitted.

eParaksts mobile

eParaksts mobile is an application for iOS and Android mobile devices for generating electronic signatures. These signatures are used for Identity authentication: eParaksts mobile generates the XAdES signature on a ticket that acts as a challenge that the end-user uses to prove their identity.

The cryptographic keys used to generate the signatures are stored in the mobile device in which the eParaksts mobile app is installed. Access to these keys is protected by PIN or fingerprint. This guarantees, with a high level of trust, that the signature keys used by eParaksts mobile are always under the exclusive control of the signer.

The signatures generated by eParaksts mobile always require explicit approval from the end-user and are generated on the request of any set of applications the end-user accesses either with the same mobile device in which eParaksts mobile is installed or a different one. These applications never interact directly with eParaksts Mobile but rather do so via eSigP or another application that communicates with eSigP (e.g., eSignSP).