federated identity and interoperability: federal e-authentication initiative david temoshok...
TRANSCRIPT
Federated Identity and Interoperability:Federal e-Authentication Initiative
David Temoshok Director, Identity Policy and Management
GSA Office of Governmentwide Policy
The E-Authentication Initiative
Educause Net@EDU Annual MeetingFebruary 7, 2005
2The E-Authentication Initiative
Session Objectives
Provide status of ID Federation efforts in government and industry
Discuss key infrastructure needed for ID Federation
Discuss issues related to interoperability for ID Federation
Discuss Federal e-Authentication initiative infrastructure
Present the goals of the Electronic Authentication Partnership and how it facilitates identity federation
3The E-Authentication Initiative
Background
Industry snapshot – federated identity Federated identity definition
• Agreements, standards, technologies that make identity and entitlements portable across loosely coupled, autonomous domains
Standards and specifications• Security Assertion Markup Language (SAML) 1.0, 1.1, 2.0• Liberty Alliance, Shibboleth, and Web services security
Adoption• Burton Group cites over 200 organizations implementing SAML plus
other specifications, in multiple industries Vendors
• Multiple identity management and other vendors have implemented SAML and federated identity in COTS products
Interoperability, trust, deployment still challenging
4The E-Authentication Initiative
Identity Federation – Key Interoperability Needs
Federation Communications(Technical Interoperability)
Federation Business Relationships(Business Interoperability)
Federation Trust(Policy Interoperability)
Identity Federations extend beyond current peer-peer, bi-lateral agreements to buildcommon infrastructure sharedamong multiple parties.
5The E-Authentication Initiative
Federation Infrastructure
• Interoperable Technology (Communications) Determine intra-Federation communication architecture Administer common interface specifications, use cases, profiles Conduct interoperability testing ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services)
• Trust Establish common trust model Administer common identity management/authentication policies for
Federation members• Business Relationships
Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution
6The E-Authentication Initiative
President’s Management Agenda
• 1st Priority: Make Government citizen-centered.
• 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration
7The E-Authentication Initiative
Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks
1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management
PMC E-Gov Agenda
OPMOPMOPMGSAOPMOPMGSANARA
LeadSSAHHS
FEMA
DOI
FEMA
Lead
GSATreasuryDoEDDOILabor
Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining
Lead GSAEPA
Treasury
HHS
SBADOC
Cross-cutting Infrastructure: eAuthentication GSA
Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online
8The E-Authentication Initiative
The Starting Place for e-Authentication: Key Policy Points
For Governmentwide deployment:
No National ID.
No National unique identifier.
No central registry of personal information, attributes, or authorization privileges.
Different authentication assurance levels are needed for different types of transactions.
And for e-Authentication technical approach:
No single proprietary solution
Deploy multiple COTS products -- users choice
Products must interoperate together
Controls must protect privacy of personal information.
9The E-Authentication Initiative
The Federal E-Authentication Service
Credential Service Provider
Agency ApplicationAccess Point
Application User
Step 3Step 2Step 1
Step 1:
At access point (portal, agency Web site or credential service provider) user selects agency application and credential provider (Discovery Portal)
Step 2:
•User is redirected to selected credential service provider
•If user already possesses credential, user authenticates
•If not, user acquires credential and then authenticates
Step 3:
Credential service hands off authenticated user to the agency application user selected at the access point
Discovery Portal
10The E-Authentication Initiative
GovernmentsFederal
States/LocalInternational
Higher EducationUniversities
Higher EducationPKI Bridge
HealthcareAmerican Medical Association
Patient Safetty Institute
Travel Industry AirlinesHotels
Car RentalTrusted Traveler Programs
Central Issue with Federated Identity – Who do you Trust?
E-Commerce Industry ISPs
Internet AccountsCredit Bureaus
eBay
Trust Network
Financial Services IndustryHome Banking
Credit/Debit Cards
Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.
280 Million AmericansMillions of BusinessesState/local/global Govts
11The E-Authentication Initiative
The Need for Federated Identity Trust and Business Models
Technical issues for sharing identities are being solved, but slowly
Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards
• How robust are the identity verification procedures?• How strong is this shared identity? • How secure is the infrastructure?
Common business rules are needed for federated identity to scale N2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define:
• Trust assurance and credential strength• Roles, responsibilities, of IDPs and relying parties• Liabilities associated with use of 3rd party credentials• Business relationship costs• Privacy requirements for handling Personally Identifiable Information (PII)
Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems
12The E-Authentication Initiative
Factor Token
Very High
High
Medium
StandardLow
Employee Screening for a High Risk Job
Obtaining Govt.
Benefits
Applying for a Loan
Online
Access to Protected Website
Surfing the Internet
Click-wrap
Knowledge
Pin/Password
-Based
PKI/ Digital Signature
Multi-
Incre
ase
d $
Cost
Increased Need for Identity Assurance
Multiple Authentication Assurance Levelsto meet multiple risk levels
13The E-Authentication Initiative
e-Authentication Trust Model for Federated Identity
3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 6/04)
1. Establish e-Authenticationrisk and assurance levels (OMB M-04-04 Federal Policy Notice 12/16/03)
4. Establish methodology for evaluating credentials/providers on assurance criteria (FBCA & Credential Assessment Framework 11/03)
2. Establish standard methodology for e-Authentication riskassessment (ERA) 2/04
5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04
6. Establish common business rules for use of trusted 3rd-party credentials (11/04)
7. Test products and implementations for interoperability (2/04)
14The E-Authentication Initiative
Federal Interoperability Lab
Tests interoperability of products for participation in e-Authentication architecture.
Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products
Currently 10 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication
Federal e-Authentication Program will adopt additional schemes SAML 2.0 Liberty Alliance Shibboleth
Protocol Translator is required for technical architecture
Multiple protocol interoperability testing will be very complex
Federal Government will operate Interoperability lab until protocol/product convergence or industry test lab is in place
Approved products list is publicly available.
15The E-Authentication Initiative
The Approach to a U.S. Federal PKI
Agencies implement their own PKIs
Create a Federal Bridge CA using COTS products to bind Agency PKIs together
Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge CA
Ensure directory compatibility
Use ACES for transactions with the public
16The E-Authentication Initiative
University PKI
University PKI
University PKI
A Snapshot of the U.S. Federal PKI
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI
Illinois PKI
CANADA PKI
Federal Bridge CA
ACES PKI
Treasury PKI
DOL PKI
Wells FargoBank
State Dept PKI
17The E-Authentication Initiative
The Need for the Electronic Authentication PartnershipThe Need for the Electronic Authentication Partnership
State/Local Governments
Industry
Policy• Authentication
• Assurance levels
• Credential Profiles
• Accreditation
• Business Rules
• Privacy Principles
Technology• Adopted schemes
• Common specs
• User Interfaces
• APIs
• Interoperable
COTS products
• Authz support
Federal Government Commercial Trust Assurance Services
Policy, Technical, & Business Interoperability
Common Business and Operating Rules
IDP
IDP
IDP
IDP
RP RP
RP
http://www.eapartnership.org/
Interoperability for:
18The E-Authentication Initiative
What is the EAP
• Multi-industry partnership creating a framework for interoperable authentication
Plans to establish itself as a member-supported organization, and complete framework in early 2005
• Goals Provide organizations with a straightforward means of relying on digital
credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish
bilateral agreements Organizations would operate under common EAP rule set, resulting in
multilateral trust
• In practice this means a federated approach
19The E-Authentication Initiative
What the EAP is doing now for ID Federation
Current State of Industry: Bi-Lateral Pairs
IDP
IDP
IDP
SP/RP
SP/RP
SP/RP
Bi-lateral Agreements
Pair-wise Trust Model
Pair-wise Interface Spec and Products
EAP Objective: Multi-Party, Interoperable Federation
IDP
IDP
IDP
IDP
SP/RP SP/RP
SP/RP
Common Business Rules/AgreementsCommon Trust ModelCommon Interface SpecificationInteroperable Products
20The E-Authentication Initiative
What the EAP envisions for ID Federation
IDP
IDP
IDP IDP
IDP
IDP
IDP
IDP
IDP
IDP
SP/RP
SP/RP
SP/RP
SP/RP SP/RP
SP/RP
SP/RP
SP/RP
SP/RP
SP/RP
SP/RPEAP Vision:
Multiple, Interoperable Federations
EAPCommon Business Rules/AgreementsCommon Trust ModelsCommon Basic Interface SpecificationsInteroperable Products
Federation 1
Federation 2
Federation 3
21The E-Authentication Initiative
Subject: Policy for a Common Identification Standard for Federal Employees and Contractors (1) Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). (2) To implement the policy set forth in paragraph (1), the Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard") not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies.
Homeland Security Presidential Directive/HSPD-12
FIPS 201Personal Identity
Verification Standard
22The E-Authentication Initiative
(3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).
(4) Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.
Homeland Security Presidential Directive/HSPD-12
23The E-Authentication Initiative
HSPD-12 mandates a government-wide standard for secure and reliable forms of identification. The policy further defines the following criteria for a secure and reliable form of identification. The identification standard (PIV FIPS 201) will be:
Based on sound criteria to verify an individual employee’s identity Strongly resistant to fraud, tampering, counterfeiting, and terrorist
exploitation Rapidly verifiable electronically Issued by providers whose reliability has been established by an official
accreditation process Applicable to all government organizations and contractors Used to grant access to Federally controlled facilities and information
systems Flexible enough for agencies to select the appropriate security level for
each application by providing graduated criteria from least secure to most secure
Not applicable to identification associated with national security systems Implemented in a manner that protects citizens’ privacy
Federal Personal Identification Verification Standard
24The E-Authentication Initiative
For More Information
Phone E-mail David Temoshok 202-208-7655 [email protected]
Websiteshttp://cio.gov/eauthenticationhttp://www.eapartnership.org/
http://cio.gov/fpkipahttp://cio.gov/ficc