federal cio council information security and identity management committee idmanagement.gov...

Federal CIO CouncilInformation Security and Identity Management Committee

IDManagement.govIDManagement.gov

Externalizing Authentication

Federal ICAM Day

June 18, 2013

2

Phil Wenger, OMB Douglas Glair, USPS

Anil John, GSA (Moderator)

Panel Participants

3

Align Collaborate Enable

http://www.IDManagement.gov

Phil Wenger, OMB

Externalizing Authentication usingMAX Authentication as a Service (AaaS)

Phil Wenger, OMB

June 2013

ICAM Information Sharing Day and Vendor Expo

Key Takeaways

• Understand the MAX Ecosystem• Understand how Agencies can externalize

authentication using MAX’s Shared Credentialing, Provisioning, Authentication, and Authorization and Services

MAX.gov - A Complete Cloud Services Platform

Identity Management

& SSOCollaboration Analytics

Data Collections &

Surveys

Web MeetingsRemote

Desktops for Telework

Federated Search

Wiki & Web Content

Document Management

Social Networking &

Publishing

Government-wide

Directory

Enabling the “Shared First” and “Cloud First” eGov Policies

7

MAX AaaS provides Government-wide ID

Inter-agency

Government-to-Government

Intra-agency

Policymaking, Management and Budget class of activities

State, Local, International, and Non-Governmental Partners

Available for use by agencies for both cross-government and intra-agency activities

User accounts available for interactions with non-governmental partners in secure Enclaves

The Public

Plus state, local, international, & non-governmental partner users

What MAX AaaS Provides to Agencies

• Allow citizen access to agency websites using NSTIC or anonymous logins while enforcing admin access via MAX ID

• Use government-wide organic and organizational MAX groups for role-based access control and fine-grained permissions

Immediate Government-wide

Identity

• Use MAX PIV validation service to meet eGov policies (OMB M-11-11, M-10-28)

• Use MAX PIV to SAML gateway service to map 2-factor identity to agency logins or MAX ID

Rapid HSPD-12, DOD CAC PIV

Implementation

• Federate MAX Authentication with your Agency’s Active Directory

• Federate MAX Authentication with SAML 2.0 Single Sign-on (SSO)

Federation and Multi-Agency Single Sign-on

MAX AaaS Solution Benefits

Instant DeploymentCloud based, C&A’d

FIPS 199 FISMA ModerateMission-critical use

Low Total Cost of Ownership

No new software to build or license

Self-service delegated administration

Eases management burden

Dual authenticationAugments existing identities

Government-wide Directory

Automatically Maintained

MAX AaaS - Scope

Auto Registration for .gov, .mil

and other domains

85,000+

users

6,000+user

groups

Thousands of HSPD-12 users

from 90+

agencies

Federal, State, Local, International, and Non-government partner users

MAX AaaS – Multiple Login MethodsWeb Services that support HSPD-12 and ICAM SAML 2.0 Web Browser SSO Profile

http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf

Can be mapped to your agency ID

PIV validation and mapping service• Full path building,

validation, revocation checking

• Identity data extraction and normalization

Federate your agency Active Directory or SAML 2.0 instances

Choose between single-factor, dual-factor, or federated login

How Agencies have Externalized Authentication using MAX AaaS Today

MAX ID

MAX Apps

OtherApps

eGov Apps

Agency Apps

IT Dashboard, Data.Gov, Performance.Gov

DOJ CyberScope

BFEM

MAX A11, Apportionment

Adobe ConnectOnline Meetings

Wordpress

Drupal

Active Directory

BFELoB Organization and Contacts:Executive Sponsor: Courtney Timberlake, Assistant Dir. for Budget, OMB

Managing Partner: Tom Skelly, Director of Budget Service, Education

Policy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB

Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB

Program Management Office Lead: Mark Dronfield, Education

MAX Authentication Lead: Barry Napear, Budget Systems Branch, OMB

MAX Architect: Shahid Shah, Budget Systems Branch (CTR), OMB

Learn More about the Budget LoB: www.BudgetLoB.gov Visit MAX.gov: www.max.gov Contact the Budget LoB: BudgetLoB@Ed.gov Contact MAX Support: 202 395-6860

13

MAX Authentication as a Service (AaaS)Sponsored by the Budget Formulation and Execution Line of Business (BFELoB)

BACKGROUND SLIDES

MAX AaaS: Full featured identity services

Self-Service Provisioning

Common Identity, Profile, and Directory

Self service registration and account management

Auto-provisioning for .gov, .mil, etc.

Identity assurance for Levels 2 and 3

Multi-factor Authentication

Single factor (user/password)

Multi factor(PIV/PIV-I/CAC)

Federated (SAML2, ADFS)

Machine2Machine (M2M)

Delegated Authorization

Group Management

Role Management

Delegated Administration

SAML

Self Service User Provisioning Process

User accepts MAX User Agreement

Email confirmation sent to user

MAX validates user’s email addressMAX checks sponsor requirement for outside users

User self registers on line at MAX portalhttps://max. gov

Agency user and his/her management defines need to access MAX (employee, contactor, partner)

Less than 5 minutes to get an account for “trusted domains”

Self or Managed Authorization Process

MAX notifies user and application administrators

MAX or delegated admin reviews access requests

User applies for application access via MAX portal

MAX assigns user to groups, communities and/or applications as authorized by user’s management

User and his/her management defines MAX application and role to access

MAX Identity Management (IDM) Services

AaaSJSON based

RESTful Web

ServicesIDM

Enhanced

Provides APIs for MAX Identities, Profiles, Groups, and Authorization data

MAX PIV Validation (PV) Services

Full Path Building,

Validation, Revocation Checking

Identity Data Extraction /

Normalization PVPKIF: The PKI Framework

Provides APIs for PIV/PIV-I/CAC validation and identity data extraction“Public” service available: https://pv.test.max.gov/

MAX PIV-to-SAML Translation Services

Perform MAX PIV

Validation

Map to MAX ID

Translate to SAML

Pass Assertion to

App

• Performs PIV validation, maps to MAX ID, then translates to SAML• Apps do not need to be aware of PIV validation details (they are

given assurance level as part of SAML assertion)

Agency AD/LDAP Integration (Federation)Supports ICAM SAML 2.0 Web Browser SSO Profile

http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf

MAX HSPD-12 Authentication Process

SSL/TLS

Apache Proxy

Apps

HSPD-12 Certificate

Internet

Identities Directory

Authenticate

1. User connects to MAX and receives Login Page2. User enters user/pass or inserts HSPD-12 card into reader and

selects PIV login3. For HSPD-12 login, browser establishes a TLS connection to Proxy,

and Proxy requests a certificate4. Browser extracts certificate from card and forwards it to Proxy5. Proxy forwards certificate to CAS6. CAS matches certificate against Identities Directory7. CAS extracts MAX ID and user profile information and prepares a

SAML assertion8. CAS "forwards" the SAML assertion to the application requesting

authentication (no certificates are exchanged)

2

1

5

6

7

4

8

3

23

Align Collaborate Enable

http://www.IDManagement.gov

Douglas Glair, USPS

Doug Glair – Manager, Digital Partnerships and Alliances – United States Postal Service

Federal Cloud Credential Exchange (FCCX)

Market Problem (Government)

The Solution(FCCX)

Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of interoperable credential usage by allowing agencies to securely interact with a

single “broker” to facilitate the authentication of consumers

• Creates a single interface between Agencies and IDPs

• Speeds up integration

• Reduces costs and complexity

• Requires Agencies to integrate with multiple Identity Service Providers (IDPs)

• Requires IDPs to integrate with multiple Agencies

Little or no confidence in asserted identity – self-assertion

Approved IdPs: Equifax, Google, PayPal,

Symantec, VeriSign, Verizon, Wave Systems, Virginia Tech

LOA 1

Very high confidence in asserted identity

Approved IdPs: PIV/ PIV-I Cards

LOA 4

Some confidence in asserted identity

Approved IdPs: Symantec, Verizon, Virginia

Tech

LOA 2 High confidence in asserted

identity

Approved IdPs: Symantec, Verizon

LOA 3

Complexity & Security

NIST Levels of Assurance (LOA)FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA)

defined by NIST and approved via the ICAM Trust Framework Solutions

FCCX Anticipated User Experience Flow

28

Align Collaborate Enable

http://www.IDManagement.gov