federated identity and interoperability: federal e-authentication initiative david temoshok...

Federated Identity and Interoperability:Federal e-Authentication Initiative

David Temoshok Director, Identity Policy and Management

GSA Office of Governmentwide Policy

The E-Authentication Initiative

Educause Net@EDU Annual MeetingFebruary 7, 2005

2The E-Authentication Initiative

Session Objectives

Provide status of ID Federation efforts in government and industry

Discuss key infrastructure needed for ID Federation

Discuss issues related to interoperability for ID Federation

Discuss Federal e-Authentication initiative infrastructure

Present the goals of the Electronic Authentication Partnership and how it facilitates identity federation


Background

Industry snapshot – federated identity Federated identity definition

• Agreements, standards, technologies that make identity and entitlements portable across loosely coupled, autonomous domains

Standards and specifications• Security Assertion Markup Language (SAML) 1.0, 1.1, 2.0• Liberty Alliance, Shibboleth, and Web services security

Adoption• Burton Group cites over 200 organizations implementing SAML plus

other specifications, in multiple industries Vendors

• Multiple identity management and other vendors have implemented SAML and federated identity in COTS products

Interoperability, trust, deployment still challenging


Identity Federation – Key Interoperability Needs

Federation Communications(Technical Interoperability)

Federation Business Relationships(Business Interoperability)

Federation Trust(Policy Interoperability)

Identity Federations extend beyond current peer-peer, bi-lateral agreements to buildcommon infrastructure sharedamong multiple parties.


Federation Infrastructure

• Interoperable Technology (Communications) Determine intra-Federation communication architecture Administer common interface specifications, use cases, profiles Conduct interoperability testing ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services)

• Trust Establish common trust model Administer common identity management/authentication policies for

Federation members• Business Relationships

Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution


President’s Management Agenda

• 1st Priority: Make Government citizen-centered.

• 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration


Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks

1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management

PMC E-Gov Agenda

OPMOPMOPMGSAOPMOPMGSANARA

LeadSSAHHS

FEMA

DOI

FEMA

Lead

GSATreasuryDoEDDOILabor

Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining

Lead GSAEPA

Treasury

HHS

SBADOC

Cross-cutting Infrastructure: eAuthentication GSA

Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online


The Starting Place for e-Authentication: Key Policy Points

For Governmentwide deployment:

No National ID.

No National unique identifier.

No central registry of personal information, attributes, or authorization privileges.

Different authentication assurance levels are needed for different types of transactions.

And for e-Authentication technical approach:

No single proprietary solution

Deploy multiple COTS products -- users choice

Products must interoperate together

Controls must protect privacy of personal information.


The Federal E-Authentication Service

Credential Service Provider

Agency ApplicationAccess Point

Application User

Step 3Step 2Step 1

Step 1:

At access point (portal, agency Web site or credential service provider) user selects agency application and credential provider (Discovery Portal)

Step 2:

•User is redirected to selected credential service provider

•If user already possesses credential, user authenticates

•If not, user acquires credential and then authenticates

Step 3:

Credential service hands off authenticated user to the agency application user selected at the access point

Discovery Portal


GovernmentsFederal

States/LocalInternational

Higher EducationUniversities

Higher EducationPKI Bridge

HealthcareAmerican Medical Association

Patient Safetty Institute

Travel Industry AirlinesHotels

Car RentalTrusted Traveler Programs

Central Issue with Federated Identity – Who do you Trust?

E-Commerce Industry ISPs

Internet AccountsCredit Bureaus

eBay

Trust Network

Financial Services IndustryHome Banking

Credit/Debit Cards

Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.

280 Million AmericansMillions of BusinessesState/local/global Govts


The Need for Federated Identity Trust and Business Models

Technical issues for sharing identities are being solved, but slowly

Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards

• How robust are the identity verification procedures?• How strong is this shared identity? • How secure is the infrastructure?

Common business rules are needed for federated identity to scale N2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define:

• Trust assurance and credential strength• Roles, responsibilities, of IDPs and relying parties• Liabilities associated with use of 3rd party credentials• Business relationship costs• Privacy requirements for handling Personally Identifiable Information (PII)

Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems


Factor Token

Very High

High

Medium

StandardLow

Employee Screening for a High Risk Job

Obtaining Govt.

Benefits

Applying for a Loan

Online

Access to Protected Website

Surfing the Internet

Click-wrap

Knowledge

Pin/Password

-Based

PKI/ Digital Signature

Multi-

Incre

ase

d $

Cost

Increased Need for Identity Assurance

Multiple Authentication Assurance Levelsto meet multiple risk levels


e-Authentication Trust Model for Federated Identity

3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 6/04)

1. Establish e-Authenticationrisk and assurance levels (OMB M-04-04 Federal Policy Notice 12/16/03)

4. Establish methodology for evaluating credentials/providers on assurance criteria (FBCA & Credential Assessment Framework 11/03)

2. Establish standard methodology for e-Authentication riskassessment (ERA) 2/04

5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04

6. Establish common business rules for use of trusted 3rd-party credentials (11/04)

7. Test products and implementations for interoperability (2/04)


Federal Interoperability Lab

Tests interoperability of products for participation in e-Authentication architecture.

Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products

Currently 10 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication

Federal e-Authentication Program will adopt additional schemes SAML 2.0 Liberty Alliance Shibboleth

Protocol Translator is required for technical architecture

Multiple protocol interoperability testing will be very complex

Federal Government will operate Interoperability lab until protocol/product convergence or industry test lab is in place

Approved products list is publicly available.


The Approach to a U.S. Federal PKI

Agencies implement their own PKIs

Create a Federal Bridge CA using COTS products to bind Agency PKIs together

Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge CA

Ensure directory compatibility

Use ACES for transactions with the public


University PKI

University PKI

University PKI

A Snapshot of the U.S. Federal PKI

NFC PKI

Higher Education Bridge CA

NASA PKI

DOD PKI

Illinois PKI

CANADA PKI

Federal Bridge CA

ACES PKI

Treasury PKI

DOL PKI

Wells FargoBank

State Dept PKI


The Need for the Electronic Authentication PartnershipThe Need for the Electronic Authentication Partnership

State/Local Governments

Industry

Policy• Authentication

• Assurance levels

• Credential Profiles

• Accreditation

• Business Rules

• Privacy Principles

Technology• Adopted schemes

• Common specs

• User Interfaces

• APIs

• Interoperable

COTS products

• Authz support

Federal Government Commercial Trust Assurance Services

Policy, Technical, & Business Interoperability

Common Business and Operating Rules

IDP

IDP

IDP

IDP

RP RP

RP

http://www.eapartnership.org/

Interoperability for:


What is the EAP

• Multi-industry partnership creating a framework for interoperable authentication

Plans to establish itself as a member-supported organization, and complete framework in early 2005

• Goals Provide organizations with a straightforward means of relying on digital

credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish

bilateral agreements Organizations would operate under common EAP rule set, resulting in

multilateral trust

• In practice this means a federated approach


What the EAP is doing now for ID Federation

Current State of Industry: Bi-Lateral Pairs

IDP

IDP

IDP

SP/RP

SP/RP

SP/RP

Bi-lateral Agreements

Pair-wise Trust Model

Pair-wise Interface Spec and Products

EAP Objective: Multi-Party, Interoperable Federation

IDP

IDP

IDP

IDP

SP/RP SP/RP

SP/RP

Common Business Rules/AgreementsCommon Trust ModelCommon Interface SpecificationInteroperable Products


What the EAP envisions for ID Federation

IDP

IDP

IDP IDP

IDP

IDP

IDP

IDP

IDP

IDP

SP/RP

SP/RP

SP/RP

SP/RP SP/RP

SP/RP

SP/RP

SP/RP

SP/RP

SP/RP

SP/RPEAP Vision:

Multiple, Interoperable Federations

EAPCommon Business Rules/AgreementsCommon Trust ModelsCommon Basic Interface SpecificationsInteroperable Products

Federation 1

Federation 2

Federation 3


Subject: Policy for a Common Identification Standard for Federal Employees and Contractors (1) Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). (2) To implement the policy set forth in paragraph (1), the Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard") not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies.

Homeland Security Presidential Directive/HSPD-12

FIPS 201Personal Identity

Verification Standard


(3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).

(4) Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.

Homeland Security Presidential Directive/HSPD-12


HSPD-12 mandates a government-wide standard for secure and reliable forms of identification. The policy further defines the following criteria for a secure and reliable form of identification. The identification standard (PIV FIPS 201) will be:

Based on sound criteria to verify an individual employee’s identity Strongly resistant to fraud, tampering, counterfeiting, and terrorist

exploitation Rapidly verifiable electronically Issued by providers whose reliability has been established by an official

accreditation process Applicable to all government organizations and contractors Used to grant access to Federally controlled facilities and information

systems Flexible enough for agencies to select the appropriate security level for

each application by providing graduated criteria from least secure to most secure

Not applicable to identification associated with national security systems Implemented in a manner that protects citizens’ privacy

Federal Personal Identification Verification Standard


For More Information

Phone E-mail David Temoshok 202-208-7655 [email protected]

Websiteshttp://cio.gov/eauthenticationhttp://www.eapartnership.org/

http://cio.gov/fpkipahttp://cio.gov/ficc

federated identity and interoperability: federal e-authentication initiative david temoshok...

Documents

identity federation

identity policy

evital business case

common infrastructure

common business rules

challenging slide

common trust model

performance integration