Federated Identity and Interoperability: Federal eAuthentication Initiative David Temoshok Director,

1
Federated Identity and InteroperabilityFederal
e-Authentication InitiativeDavid Temoshok
Director, Identity Policy and Management GSA
Office of Governmentwide Policy
The E-Authentication Initiative
Educause Net_at_EDU Annual Meeting February 7, 2005
2
Session Objectives

• Provide status of ID Federation efforts in
  government and industry
• Discuss key infrastructure needed for ID
  Federation
• Discuss issues related to interoperability for ID
  Federation
• Discuss Federal e-Authentication initiative
  infrastructure
• Present the goals of the Electronic
  Authentication Partnership and how it facilitates
  identity federation

3
Background

• Industry snapshot federated identity
• Federated identity definition
• Agreements, standards, technologies that make
  identity and entitlements portable across loosely
  coupled, autonomous domains
• Standards and specifications
• Security Assertion Markup Language (SAML) 1.0,
  1.1, 2.0
• Liberty Alliance, Shibboleth, and Web services
  security
• Adoption
• Burton Group cites over 200 organizations
  implementing SAML plus other specifications, in
  multiple industries
• Vendors
• Multiple identity management and other vendors
  have implemented SAML and federated identity in
  COTS products
• Interoperability, trust, deployment still
  challenging

4
Identity Federation Key Interoperability Needs
Identity Federations extend beyond current
peer-peer, bi-lateral agreements to build common
infrastructure shared among multiple parties.
Federation Trust (Policy Interoperability)
Federation Communications (Technical
Interoperability)
Federation Business Relationships (Business
Interoperability)
5
Federation Infrastructure

• Interoperable Technology (Communications)
• Determine intra-Federation communication
  architecture
• Administer common interface specifications, use
  cases, profiles
• Conduct interoperability testing ( as needed)
  according to the specifications
• Provide a common portal service (I.e., discovery
  and interaction services)
• Trust
• Establish common trust model
• Administer common identity management/authenticati
  on policies for Federation members
• Business Relationships
• Establish and administer common business rules
• Manage relations among relying parties and CSPs
• Manage compliance/dispute resolution

6
Presidents Management Agenda

• 1st Priority Make Government citizen-centered.
• 5 Key Government-wide Initiatives
• Strategic Management of Human Capital
• Competitive Sourcing
• Improved Financial performance
• Expanded Electronic Government
• Budget and Performance Integration

7
PMC E-Gov Agenda
Government to Citizen
Government to Business
Lead GSA Treasury DoED DOI Labor
Lead GSA EPA Treasury HHS SBA DOC
1. Federal Asset Sales 2. Online Rulemaking
Management 3. Simplified and Unified
Tax and Wage Reporting 4. Consolidated
Health Informatics (business case) 5.
Business Gateway 6. Intl Trade Process
Streamlining
1. USA Service 2. EZ Tax Filing
3. Online Access for Loans 4.
Recreation One Stop 5. Eligibility Assistance
Online
Cross-cutting Infrastructure eAuthentication GSA
Government to Govt.
Internal Effectiveness and Efficiency
Lead SSA HHS FEMA DOI FEMA
OPM OPM OPM GSA OPM OPM GSA NARA
1. e-Training 2.
Recruitment One Stop 3. Enterprise HR
Integration 4. e-Travel 5. e-Clearance 6.
e-Payroll 7. Integrated Acquisition 8. e-Records
Management
1. e-Vital (business case) 2. Grants.gov 3.
Disaster Assistance and Crisis Response 4.
Geospatial Information One Stop 5.
Wireless Networks
8
The Starting Place for e-Authentication Key
Policy Points

• For Governmentwide deployment
• No National ID.
• No National unique identifier.
• No central registry of personal information,
  attributes, or authorization privileges.
• Different authentication assurance levels are
  needed for different types of transactions.
• And for e-Authentication technical approach
• No single proprietary solution
• Deploy multiple COTS products -- users choice
• Products must interoperate together
• Controls must protect privacy of personal
  information.

9
The Federal E-Authentication Service
Discovery Portal
Step 1
Step 3
Step 2
Application User
Agency Application
Credential Service Provider
Access Point

• Step 2
• User is redirected to selected credential service
  provider
• If user already possesses credential, user
  authenticates
• If not, user acquires credential and then
  authenticates

Step 1 At access point (portal, agency Web site
or credential service provider) user selects
agency application and credential provider
(Discovery Portal)
Step 3 Credential service hands off
authenticated user to the agency application user
selected at the access point
10
Central Issue with Federated Identity Who do
you Trust?
280 Million Americans Millions of
Businesses State/local/global Govts
Governments Federal States/Local International
Travel Industry Airlines Hotels Car
Rental Trusted Traveler Programs
Trust Network
Higher Education Universities Higher
Education PKI Bridge
E-Commerce Industry ISPs Internet
Accounts Credit Bureaus eBay
Healthcare American Medical Association Patient
Safetty Institute
Financial Services Industry Home
Banking Credit/Debit Cards
Absent a National ID and unique National
Identifier, the e-Authentication initiative will
establish trusted credentials/providers at
determined assurance levels.
11
The Need for Federated Identity Trust and
Business Models

• Technical issues for sharing identities are being
  solved, but slowly
• Trust is critical issue for deployment of
  federated identity
• Federated ID networks have strong need for trust
  assurance standards
• How robust are the identity verification
  procedures?
• How strong is this shared identity?
• How secure is the infrastructure?
• Common business rules are needed for federated
  identity to scale
• N2 bi-lateral trust relationships is not a
  scalable business process
• Common business rules are needed to define
• Trust assurance and credential strength
• Roles, responsibilities, of IDPs and relying
  parties
• Liabilities associated with use of 3rd party
  credentials
• Business relationship costs
• Privacy requirements for handling Personally
  Identifiable Information (PII)
• Federal e-Authentication Initiative will provide
  trust framework to integrate (policy, technology,
  business relationships) across disparate and
  independent identity systems

12
Multiple Authentication Assurance Levelsto meet
multiple risk levels
Increased Cost
Increased Need for Identity Assurance

13
e-Authentication Trust Model for Federated
Identity
1. Establish e-Authentication risk and assurance
levels (OMB M-04-04 Federal Policy Notice
12/16/03)
2. Establish standard methodology for
e-Authentication risk assessment (ERA) 2/04
4. Establish methodology for evaluating
credentials/providers on assurance criteria
(FBCA Credential Assessment Framework 11/03)
3. Establish technical standards for
e-Authentication systems (NIST Special Pub 800-63
Authentication Technical Guidance 6/04)
6. Establish common business rules for use of
trusted 3rd-party credentials (11/04)
5. Assess CSPs and maintain trust list of trusted
CSPs for govt-wide (and private sector) use 2/04
7. Test products and implementations for
interoperability (2/04)
14
Federal Interoperability Lab

• Tests interoperability of products for
  participation in e-Authentication architecture.
• Conformance testing to Fed e-Authentication
  Interface Specification
• Interoperability testing among all approved
  products
• Currently 10 SAML 1.0 products on Approved
  Product List.
• See URL http//cio.gov/eauthentication
• Federal e-Authentication Program will adopt
  additional schemes
• SAML 2.0
• Liberty Alliance
• Shibboleth
• Protocol Translator is required for technical
  architecture
• Multiple protocol interoperability testing will
  be very complex
• Federal Government will operate Interoperability
  lab until protocol/product convergence or
  industry test lab is in place
• Approved products list is publicly available.

15
The Approach to a U.S. Federal PKI

• Agencies implement their own PKIs
• Create a Federal Bridge CA using COTS products to
  bind Agency PKIs together
• Establish a Federal PKI Policy Authority to
  oversee operation of the Federal Bridge CA
• Ensure directory compatibility
• Use ACES for transactions with the public

16
A Snapshot of the U.S. Federal PKI
DOL PKI
DOD PKI
ACES PKI
Illinois PKI
NASA PKI
CANADA PKI
NFC PKI
Federal Bridge CA
Wells Fargo Bank
Treasury PKI
Higher Education Bridge CA
State Dept PKI
University PKI
University PKI
University PKI
17
The Need for the Electronic Authentication
Partnership
Interoperability for
Commercial Trust Assurance Services
Federal Government

• Policy
• Authentication
• Assurance levels
• Credential Profiles
• Accreditation
• Business Rules
• Privacy Principles

IDP
IDP
IDP
State/Local Governments
Policy, Technical, Business Interoperability

• Technology
• Adopted schemes
• Common specs
• User Interfaces
• APIs
• Interoperable
• COTS products
• Authz support

RP
IDP
RP
RP
Industry
Common Business and Operating Rules
http//www.eapartnership.org/
18
What is the EAP

• Multi-industry partnership creating a framework
  for interoperable authentication
• Plans to establish itself as a member-supported
  organization, and complete framework in early
  2005
• Goals
• Provide organizations with a straightforward
  means of relying on digital credentials issued by
  a variety of authentication systems
• Eliminate or at least reduce the need for
  organizations to establish bilateral agreements
• Organizations would operate under common EAP rule
  set, resulting in multilateral trust
• In practice this means a federated approach

19
What the EAP is doing now for ID Federation
Bi-lateral Agreements
IDP
SP/RP
Pair-wise Trust Model
SP/RP
IDP
Pair-wise Interface Spec and Products
SP/RP
IDP
Current State of Industry Bi-Lateral Pairs
IDP
IDP
IDP
Common Business Rules/Agreements Common Trust
Model Common Interface Specification Interoperable
Products
SP/RP
IDP
SP/RP
SP/RP
EAP Objective Multi-Party, Interoperable
Federation
20
What the EAP envisions for ID Federation
IDP
EAP Common Business
Rules/Agreements Common Trust Models Common Basic
Interface Specifications Interoperable Products
IDP
IDP
Federation 1
IDP
SP/RP
SP/RP
SP/RP
IDP
IDP
IDP
Federation 3
IDP
SP/RP
IDP
SP/RP
IDP
SP/RP
SP/RP
Federation 2
SP/RP
SP/RP
EAP Vision Multiple, Interoperable Federations
SP/RP
SP/RP
21
Homeland Security Presidential Directive/HSPD-12

FIPS 201 Personal Identity Verification Standard
22
Homeland Security Presidential Directive/HSPD-12

(3) "Secure and reliable forms of identification"
for purposes of this directive means
identification that (a) is issued based on sound
criteria for verifying an individual employee's
identity (b) is strongly resistant to identity
fraud, tampering, counterfeiting, and terrorist
exploitation (c) can be rapidly authenticated
electronically and (d) is issued only by
providers whose reliability has been established
by an official accreditation process. The
Standard will include graduated criteria, from
least secure to most secure, to ensure
flexibility in selecting the appropriate level of
security for each application. The Standard shall
not apply to identification associated with
national security systems as defined by 44 U.S.C.
3542(b)(2). (4) Not later than 4 months
following promulgation of the Standard, the heads
of executive departments and agencies shall have
a program in place to ensure that identification
issued by their departments and agencies to
Federal employees and contractors meets the
Standard. As promptly as possible, but in no case
later than 8 months after the date of
promulgation of the Standard, the heads of
executive departments and agencies shall, to the
maximum extent practicable, require the use of
identification by Federal employees and
contractors that meets the Standard in gaining
physical access to Federally controlled
facilities and logical access to Federally
controlled information systems.
23
Federal Personal Identification Verification
Standard
24
For More Information

• Phone E-mail
• David Temoshok 202-208-7655 david.temoshok
  _at_gsa.gov

Websites http//cio.gov/eauthentication http//www
.eapartnership.org/ http//cio.gov/fpkipa http//c
io.gov/ficc