120 likes | 244 Views
Identity Federations and the U.S. E-Authentication Architecture. Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health. Agenda. Elements of US Federal Identity Federation Inward-facing and outward-facing elements Interfederation interoperability initiatives.
E N D
Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health
Agenda • Elements of US Federal Identity Federation • Inward-facing and outward-facing elements • Interfederation interoperability initiatives
The U.S. Federal Identity Framework IS: A combination of policy and technology implemented to: Provide secure access to government physical and logical resources Provide secure mechanisms for citizens, businesses and other governments to transact business with the US Federal Government electronically
Implementation of U.S. Federal Identity Framework • Feds and on-site contractors get Common PKI token and medium assurance digital certificates • Common Policy and common token facilitate interagency interoperability • AuthZ still a local responsibility • Federal Bridge enables cross-Agency interoperability outside the Common Policy (for waived entities)
Foundation Elements of FIF Policy-Driven • FICC Identity Management Framework Document • OMB M-04-04 (LOA) • NIST SP 800-63 (Risk) • U.S. Federal Common Policy Framework CP (PKI) • Federal Bridge CA CP (PKI) • E-Authentication Risk Assessment • SmartCard Standards (GSIS-compliance) • E-Authentication Credential Assessment Framework (CAF)
E-Authentication Full Operational Capability (FOC) Architecture for Clients and Business Partners • Defines the way end users authenticate to online Agency Applications • Based on external standards.. Conservatively • SAML 1.0 profiles currently • Liberty, Shibboleth, WS* • SAML 1.x, 2.0 as COTS products become available • Credential Services Providers (electronic identity credential issuers) evaluated for LOA using standard methodology (CAF) • Supports all authentication technologies
Interfederation Interoperability Initiatives • E-Authentication Partnership with private industry (next meeting October 25, 2004 in Broomfield, CO in conjunction with Digital ID World) • E-Authentication – inCommon interoperability project to enable Shibboleth credentials to be used to access Agency Applications • Discussions afoot to incorporate a Federal Shibboleth Federation into the E-Authentication FOC to enhance bidirectional interoperability (Federal credentials used to access inCommon services) • I-CIDM (International Collaborative identity Management) Bridge to Bridge Interoperability Work Group (PKI)
E-Authentication Partnership • The Electronic Authentication Partnership (EAP) is the multi-industry partnership working on the vital task of enabling interoperability among public and private electronic authentication (e-authentication) systems. • Interoperability of e-authentication systems is essential to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.
E-Authentication / inCommon Interoperability Project • Phases One and Two funded: • Demonstrate technical interoperability between Shib and E-Auth FOC in the E-Auth Interoperability Lab • Identify Policy and Practice convergence requirements for E-Auth and inCommon • Contribute to the B2B (PKI) discussions hosted by I-CIDM
International Collaborative Identity Management (I-CIDM) Forum • A Forum to clarify the current Federal policy and implementation of identity management (PKI) within and across collaborating organizations. The Society of British Aerospace Companies (SBAC), the UK Defence Manufacturers Association (DMA), and NACHA are also participating. • Educate, assess and advise on CIDM policy, process and technology issues including strong identity management, data segregation management, PKI/PKE implementation, cross-certification, and commercial CA bridges.
Work to be Done • Policy alignment – key is that there be policies in federations and that they address Levels of Assurance of Identity (LOA) • Technical alignment – convergence on SAML 2.0 with and without X.509 digital certificates.
Sources • http://www.cio.gov/eauthentication • http://www.cio.gov/fbca • http://www.cio.gov/ficc • http://csrc.nist.gov • http://www.eapartnership.org/ • http://www.afei.org/brochure/4af0/CIDMMeeting.cfm#purpose