160 likes | 322 Views
September 29, 2009 OASIS Identity Management 2009. Agenda. Project Timeline Project Deliverables Project Guiding Principles Profile Information Supported attribute exchange models Metadata requirements COTS Vendor Support Next Steps. Project Timeline.
E N D
September 29, 2009 OASIS Identity Management 2009
Agenda • Project Timeline • Project Deliverables • Project Guiding Principles • Profile Information • Supported attribute exchange models • Metadata requirements • COTS Vendor Support • Next Steps
Project Timeline • Meeting between DHS S&T and DoD DMDC to discuss IdM topics [Sept 2008] • BAE PoC Project kick-off [Oct 2008] • Project Team (DHS & DoD) tel-cons every two weeks • Beta BAE reference implementations based on initial profile work [1Q09] • Reference implementations & Profile v1.0 DRAFT [June 2009] • Interoperability Testing
What is a “Profile”? • Profiles are not standards; they are built on top of existing standards • Guidelines and tests for interoperability • A set of named specifications at specific revision levels, together with a set of implementation and interoperability guidelines recommending how the specifications may be used to develop interoperable capabilities
What is a BAE?- Backend Attribute Exchange (BAE) Auth. AttributeStore 2 Auth. AttributeStore 1 Agency A User w/ PIV Card Agency B Resource (Web Site / Application) Agency A user needs access to or information from Agency B User A is Authenticated Agency B needs “off-card” info to authorize User A to access resource. It “asks” its own Attribute Authority B Agency B and Agency A communicate to exchange user information about User A Agency B Attribute Broker The BAE codifies, at the Federal Level, the technical rules and protocols needed to exchange User Information between Agency A and Agency B Agency A Attribute Broker
Project Deliverables • SAML V2.0 deployment profiles for BAE as well as informative information on lessons learned, implementation guidance and recommendations • Proof-of-Concept BAE reference implementations, using synthetic data, stood up within the T&E environments of both DHS S&T and DoD DMDC to facilitate interoperability testing • Test suites to verify BAE profile compliance
Project Guiding Principles • Don’t reinvent the wheel! • Leverage existing standards work (OASIS, W3C etc.) • Keep the delta’s between existing standards and this work to the minimum & unclassified! • Awareness of agency specific work (DOD JEDS, IC UAAS etc.) but focus on needs of the Inter-Agency Community (w/ future extensions to support the Non-Federal Community) • Allow for future alternate subject identifiers w/o impacting protocol/security sections of profile • Allow for ease of implementation/leverage via multiple approaches and technologies • Support conformance testing • Engage with COTS vendor community to encourage out of the box support for profile in products
SAML Subject Profile- Federal Agency Smart Credential Number (FASC-N) • The value of the <saml:NameID> element MUST be the character representation of the FASC-N. • The FASC-N character representation MUST be 32 characters in length and will not include character representations of the start sentinel, end sentinel, field separators and the LRC. • The character representation MUST be in the order as shown in Fig 5 of the [PACS], excluding start and end sentinels, field separators and the LRC. • Missing values MUST be filled with zero's if the value is unknown or not set.
Supported BAE Model 1– Direct Attribute Exchange • BAE CA • Issues X.509 Certs to BAEs • Issues EntityIDs to BAEs • CN of BAE Cert = EntityID Org A-1 AttributeAuthority Org A-2 AttributeAuthority Org B-1 AttributeAuthority Org B-2 AttributeAuthority Dept A BAE Broker Dept B BAE Broker Attribute Requester System A Attribute Requester System B BAE Profile Scope • SAML Metadata (All BAEs) • Org EntityID • Encryption/Signing certificate • Supported Profiles/Attributes • Org BAE URL • SAML Metadata (All BAEs) • Org EntityID • Encryption/Signing certificate • Supported Profiles/Attributes • Org BAE URL MetadataService Communication secured per Org policy Communication secured per Org policy SSL
Supported BAE Model 2– Brokered Attribute Exchange • BAE CA • Issues X.509 Certs to BAEs • Issues EntityIDs to BAEs • CN of BAE Cert = EntityID Org A AttributeAuthority Org B AttributeAuthority Dept A BAE Broker Dept B BAE Broker Attribute Requester System D Attribute Requester System C BAE Profile Scope • SAML Metadata (All BAEs) • Org EntityID • Encryption/Signing certificate • Supported Profiles/Attributes • Org BAE URL • SAML Metadata (All BAEs) • Org EntityID • Encryption/Signing certificate • Supported Profiles/Attributes • Org BAE URL MetadataService Communication secured per Org policy Communication secured per Org policy SSL Dept D BAE Svc Dept C BAE Svc Org D AA Org C AA
Metadata (SAML v2)– The Source of All Good Things! Unique Identifierof BAE Broker (OC & OI) Digital Signature (AuthN & Integrity) Signing & Encryption Certificates URL of BAE Broker Supported Subject Identifier Type(s) …
Metadata (SAML v2)– Cont’d … Supported Profile(s) Supported Attributes Contact Information
COTS Vendor Support- To Date • Web Services/SOA/XML Security • Layer 7 - http://www.layer7tech.comPOC: Adam Vincent, Public Sector CTO • Vordel - http://www.vordel.comPOC: Mark O’Neill, CTO • Entitlement/Privilege Management (PDPs) • BiTKOO – http://www.bitkoo.comPOC: Doron Grinstein, CEO • Federation • Covisint - http://www.covisint.comPOC: Roger Lambert • Ongoing discussions with others…
Next Steps • Federal CIO Council ICAMSC Federation Interoperability Working Group is currently working the following open issues: • BAE CA & entityID assignment process • Recommendation: BAE certificate generation and entityID assignment managed by same entity • Recommendation: CN of Signing/Encryption Cert == entityID • Metadata distribution and management • Centralized • Distributed • Federation Agreement for BAE participants
Points of Contact & Project Team DHS • Karyn Higa-Smith, DHS S&TKaryn.Higa-Smith@dhs.gov • Deborah Gallagher, DHS OCIO • Lauren Davis • Anil John • Christopher Obremski • Thomas Smith • Maria Vachino • Chi Wu DOD • Lynne Prince, DOD DMDCLynne.Prince@osd.pentagon.mil • Darroll Love • Larry Fobian • Abhijit Jadeja • Joseph Pini