1 1 gfipm enabling federated identity and single sign-on john ruegg la county information systems...
TRANSCRIPT
11
GFIPM Enabling Federated Identity
and Single Sign-onJohn Ruegg
LA County Information Systems Advisory BodyJune 11, 2014
22
What is Federated Identity? • You trust an external partner organization to vet their users,
issue local authentication tokens, assert user/system identities and privilege attributes, and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IdP), aka Claims Provider
• Your system relies on the identity credentials provided from the IdP to make access and authorization decisions. A Service Provider (SP), aka Relying Party
• IdPs and SPs have mutual technical and policy obligations to meet for participation in the Identity Federation
33
What is Federated Identity?
• You trust a 3rd party or external partner organization to vet their users, issue local authentication tokens, assert user/system identity and privilege attributes and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IDP) aka Claims Provider
• Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. A Service Provider (SP) aka Relying Party
• IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Identity Federation.
Justice XMLInside
GFIPM Attributes Inside
44
Basic Concepts of GFIPM
GFIPM User Assertion
PolicyEnforcement
Point
Data Service Provider
FederationIdentity Provider
Assertion Authentication Response
4
Assertion Authentication Request
2
AuthID
Data Service Response
5
Data Request
1Data
Requester
Loca
l Auth
enticatio
n
3
Local Access Policy
Global FIPM User Assertion
55
Federation Terminology
• A Trusted Identity Provider (IdP) or Claims Provider– Vets, ID proofs users, authenticates users, issues Federated ID
credentials, maintains user identity and privilege attributes• Service Provider (SP) or Relying Party
– Consumes Federated IDs and asserted attributes from IdPs and Attribute Authorities to make authorization decisions
• Attributes – Identification and Privilege Data Tags– Example: DMV-issued Drivers License Card lists Identification
attributes such as Name, Sex, DOB, Address, with driving privilege attributes such as Commercial Truck license, Motorcycle license
– GFIPM has a dictionary of defined Identity and Privilege Attributes• Digitally Signed “Trust File” – contains the names, attributes,
and certificates of each IdP and SP, which make up the set of Federation members (note: SAML metadata file)
66
Service Providers (SP)Control Their Access Policy Rules
SERVICE: TX Criminal Law Enforcement Reporting and Information System (CLERIS)
ACCESS POLICY Sworn Law Enforcement Officer Asserted Criminal Investigative Search Privilege Asserted OR
(Criminal Intel Search Privilege Asserted AND 28CFR Certification Asserted)
Identity Proofing Assurance Asserted and = NIST4 Electronic Identity Assurance Asserted and ≥ NIST3 Audit Attributes Provided*
*First Name, Last Name, Phone Number, User Federation ID, Organization Name, Identity Provider, Email Address
77
Summary of Identity Federation Components
1. A process for establishing trust of electronic credentials and attributes issued by external partner or third-party organizations
2. Conformance to one or more technical Federation Standard(s) for conveying Federated IDs and attributes to one or more Service Providers (Relying Parties) (e.g. SAML Single Sign-on for Web Browsers)
3. Utilization of a common vocabulary of Identity and Privilege Attributes for assertion by IdPs (e.g. GFIPM metadata)
4. Service Providers (Relying Parties) defining the attributes they require to make access control decisions to their resource(s)
88
National Identity Exchange Federation
Online at https://nief.gfipm.net/
National Identity Exchange Federation
99
• NIEF is an Instance of the GFIPM Technical and Policy Standards and Guidance
• Authorized Set of Trusted Identity Providers (IdPs)• An Authorized Set of Service Providers (SPs)• IdPs and SPs Have Mutual Technical and Policy
Obligations as Specified in the GFIPM Governance Policy Documentation
• All IdPs and SPs Must Undergo NIEF Formal Onboarding Process
What is NIEF?National Information Exchange Federation (NIEF)
1010
Formal Onboarding Test Suite
10
3.4 Passed All Technical Interoperability Tests for Identity Provider (IDP)?
- All interoperability tests are to be conducted in the GFIPM Reference Federation.- Use "PASSED" or "FAILED" for status. Also indicate test test date. Use "N/A" if not applicable.- See Section 6 of GFIPM Web Browser User-to-System Profile: http://it.ojp.gov/docdownloader.aspx?ddid=1336- Note: IDPs are not required to be Internet accessible, so many of these tests may not be independently verifiable.
3.4.1 IDP is accessible via HTTPS (HTTP over TLS) only - NOT unencrypted HTTP.
Spec requires TLS 1.0, but in practice TLS >1.0 is OK if required by IDPO's local security policy.
3.4.2 IDP's TLS cert is signed by a well-known CA. This is necessary for usability. If not, security warnings will appear in browsers.
3.4.3 IDP accepts AuthnAssertions via SAML HTTP POST or SAML HTTP Redirect binding.
This is necessary to support "SP-Initiated" SSO.
3.4.4 IDP properly signs SAML SSO responses. 3.4.5 IDP properly signs SAML assertions. 3.4.6 IDP properly encrypts SAML assertions. 3.4.7 IDP properly uses SAML RelayState when
posting SAML responses to SPs. - For solicited responses, this requires copying the RelayState as-is
from the corresponding AuthnRequest.- For unsolicited responses, this is the destination URL at the SP.
3.4.8 IDP uses appropriate SAML NameID formats. Must use the NameID format requested in the AuthnRequest, OR the format specified in SAML Metadata (trust fabric), OR default to one of the SAML SSO profile's required formats.
3.4.9 IDP includes a SAML attribute statement in its SAML assertions.
Rules pertaining to individual attributes in the attribute statement are enumerated below.
3.4.10 IDP asserts ALL of NIEF's "mandatory" attributes.
- See GFIPM Metadata 2.0 NIEF Profile for mandatory attributes. (It's available for download on the NIEF Portal.)- Attribute names and attribute name types must BOTH be correct.
3.4.11 IDP asserts most or all of NIEF's "recommended" attributes.
- See GFIPM Metadata 2.0 NIEF Profile for mandatory attributes. (It's available for download on the NIEF Portal.)- Enumerate all recommended attributes that are NOT asserted by the IDP.
1111
Trusted IdP/SP Agreement
• Provide support for a Federated ID electronic credential with the broadest acceptance by multiple jurisdictions and organizations. – (Similar to the goals of a U.S. Passport or a state Drivers License credential)
• Provide technical interoperability testing/support with multiple Open Source and Commercial Federation software products.
• Maintain and Field Test GFIPM Technical/Management Standards– Backend Attribute Exchange (BAE) pilot testing– Attribute Authority access – OpenID Connect – REST/JSON standard for mobile application federated ID– FICAM alignment certification (optional)
• An operational Identity Federation for Federal, State, local Justice and Public Safety organizations and partners using a consistent process for onboarding IDP’s and SP’s.
11
1212
• Representative Federation Governance– Scope of governance is limited to ID and privilege
mgmt issues and underlying inter-agency trust– Governance of federation services is outside scope
• Formal Application and Onboarding Processes• Formal Interoperability Testing Process
– Tests are done in a non-live “reference” federation• “Federation Manager” Agency Provides
Support for the Governance Process
GFIPM Governance Model
1313
GFIPM Governance Model
1414
Federation Management Role• Onboarding IdPs and SPs
– Agreements / MOU for an IdP or SP – Review of Submitted Security Practices Documentation– Verification and Interoperability Testing of IdP/SP– Approval of IdP/SP Documentation and Documented
Roles/Responsibilities for the IdP and SP per an Onboarding Federation Agreement
• Ongoing Maintenance– Monitor Online/Offline Status of IdP/SP– Publish New IdPs and SPs to Federation Directory of Services– Update Contact Information– Provide Help Desk Triage– Distribute Updates to “Crypto-Trust File” [new IdP/SP]
1515
Federation Management Role (continued)
• If required, establish legal entity for signed IdP/SP agreements with the Federation
– Define IdP/SP Audit Requirements– Define Dispute Resolution Process– Establish Liability Insurance– Define Process for Removing IdP/SP from “Crypto-Trust File”
1616
Connecting to Federated Partners
1717
RISSRISS STATE & LOCALFusion Centers
STATE & LOCALFusion Centers
CJIS FBIPortal
CJIS FBIPortal
GFIPM Federation
Secured Internet
(https withmutual authentication)
Secured Internet
(https withmutual authentication)
AuthID
AuthID
AuthID
CONNECT PROJECTAlabama, Florida, Kansas, Nebraska, Tennessee,
Utah, Wyoming
CONNECT PROJECTAlabama, Florida, Kansas, Nebraska, Tennessee,
Utah, Wyoming
LA COUNTY
CCHRS
LA COUNTY
CCHRS
SAN DIEGO COUNTYARJIS
SAN DIEGO COUNTYARJIS CISACISA
Pennsylvania JNET
Pennsylvania JNET
AuthID
1818
• Provides Public-facing Info about NIEF Online– List of Current Members– Instructions for Prospective Members– Frequently Asked Questions– Contact Info
• Online at https://nief.gfipm.net/
18
NIEF Website
1919
Intelligence
Investigative
First Responder
TrustDomain B
App
Inte
rfac
e
Inte
rfac
e
FEDERATION
Trust Domain A
Existing Community Infrastructure
(federal, state, local, regional, program,
etc.)
App
First Responder
Investigative
AppsDocs
Database
AppsDocs
Database
AppsDocs
Database
Intelligence
AppsDocs
Database
System-to-System – SOA Use Case
2020
GFIPM Web Services Model #1
2121
GFIPM Web Services Model #2
2222
• Provide More Data for your User Base • Provide your Data to a Larger User Base • Reduce or Eliminate External System Access and
Administration• Secured System Data Exchange• No Mandate, but Must Interoperate• Single, Reusable Infrastructure and Security
Framework for Secured National Sharing
GFIPM Solutions Benefits
2323
• Cost-effective Solution• Leverage Local Identity Management Systems and
Policies (closest to the user)• User Identity Information is Maintained in ONE Place
with the Local Organization Identity Management System (IdP)
• User Authenticates once to Local IdP and Uses that Single Sign-on (SSO) to Gain Access to Multiple Authorized Federated Systems
• Federation System Using the Standard NIEM Justice Identity Credential – Integration is Simplified
GFIPM Solutions Benefits
242424
GFIPM Reference Federation
• Managed by GTRI for Interoperability Testing by all GFIPM Stakeholders
• Used by NIEF as Part of Onboarding Test Process prior to Live Onboarding
• Info available at http://ref.gfipm.net/
• GFIPM Implementation Portal– Info available at
http://gfipm.net/implementation.html