Title: Federated Identity and Interoperability: Federal eAuthentication Initiative David Temoshok Director,
1Federated Identity and InteroperabilityFederal
e-Authentication InitiativeDavid Temoshok
Director, Identity Policy and Management GSA
Office of Governmentwide Policy
The E-Authentication Initiative
Educause Net_at_EDU Annual Meeting February 7, 2005
2Session Objectives
- Provide status of ID Federation efforts in
government and industry - Discuss key infrastructure needed for ID
Federation - Discuss issues related to interoperability for ID
Federation - Discuss Federal e-Authentication initiative
infrastructure - Present the goals of the Electronic
Authentication Partnership and how it facilitates
identity federation
3Background
- Industry snapshot federated identity
- Federated identity definition
- Agreements, standards, technologies that make
identity and entitlements portable across loosely
coupled, autonomous domains - Standards and specifications
- Security Assertion Markup Language (SAML) 1.0,
1.1, 2.0 - Liberty Alliance, Shibboleth, and Web services
security - Adoption
- Burton Group cites over 200 organizations
implementing SAML plus other specifications, in
multiple industries - Vendors
- Multiple identity management and other vendors
have implemented SAML and federated identity in
COTS products - Interoperability, trust, deployment still
challenging
4Identity Federation Key Interoperability Needs
Identity Federations extend beyond current
peer-peer, bi-lateral agreements to build common
infrastructure shared among multiple parties.
Federation Trust (Policy Interoperability)
Federation Communications (Technical
Interoperability)
Federation Business Relationships (Business
Interoperability)
5Federation Infrastructure
- Interoperable Technology (Communications)
- Determine intra-Federation communication
architecture - Administer common interface specifications, use
cases, profiles - Conduct interoperability testing ( as needed)
according to the specifications - Provide a common portal service (I.e., discovery
and interaction services) - Trust
- Establish common trust model
- Administer common identity management/authenticati
on policies for Federation members - Business Relationships
- Establish and administer common business rules
- Manage relations among relying parties and CSPs
- Manage compliance/dispute resolution
6Presidents Management Agenda
- 1st Priority Make Government citizen-centered.
- 5 Key Government-wide Initiatives
- Strategic Management of Human Capital
- Competitive Sourcing
- Improved Financial performance
- Expanded Electronic Government
- Budget and Performance Integration
7PMC E-Gov Agenda
Government to Citizen
Government to Business
Lead GSA Treasury DoED DOI Labor
Lead GSA EPA Treasury HHS SBA DOC
1. Federal Asset Sales 2. Online Rulemaking
Management 3. Simplified and Unified
Tax and Wage Reporting 4. Consolidated
Health Informatics (business case) 5.
Business Gateway 6. Intl Trade Process
Streamlining
1. USA Service 2. EZ Tax Filing
3. Online Access for Loans 4.
Recreation One Stop 5. Eligibility Assistance
Online
Cross-cutting Infrastructure eAuthentication GSA
Government to Govt.
Internal Effectiveness and Efficiency
Lead SSA HHS FEMA DOI FEMA
OPM OPM OPM GSA OPM OPM GSA NARA
1. e-Training 2.
Recruitment One Stop 3. Enterprise HR
Integration 4. e-Travel 5. e-Clearance 6.
e-Payroll 7. Integrated Acquisition 8. e-Records
Management
1. e-Vital (business case) 2. Grants.gov 3.
Disaster Assistance and Crisis Response 4.
Geospatial Information One Stop 5.
Wireless Networks
8The Starting Place for e-Authentication Key
Policy Points
- For Governmentwide deployment
- No National ID.
- No National unique identifier.
- No central registry of personal information,
attributes, or authorization privileges. - Different authentication assurance levels are
needed for different types of transactions. - And for e-Authentication technical approach
- No single proprietary solution
- Deploy multiple COTS products -- users choice
- Products must interoperate together
- Controls must protect privacy of personal
information.
9The Federal E-Authentication Service
Discovery Portal
Step 1
Step 3
Step 2
Application User
Agency Application
Credential Service Provider
Access Point
- Step 2
- User is redirected to selected credential service
provider - If user already possesses credential, user
authenticates - If not, user acquires credential and then
authenticates
Step 1 At access point (portal, agency Web site
or credential service provider) user selects
agency application and credential provider
(Discovery Portal)
Step 3 Credential service hands off
authenticated user to the agency application user
selected at the access point
10Central Issue with Federated Identity Who do
you Trust?
280 Million Americans Millions of
Businesses State/local/global Govts
Governments Federal States/Local International
Travel Industry Airlines Hotels Car
Rental Trusted Traveler Programs
Trust Network
Higher Education Universities Higher
Education PKI Bridge
E-Commerce Industry ISPs Internet
Accounts Credit Bureaus eBay
Healthcare American Medical Association Patient
Safetty Institute
Financial Services Industry Home
Banking Credit/Debit Cards
Absent a National ID and unique National
Identifier, the e-Authentication initiative will
establish trusted credentials/providers at
determined assurance levels.
11The Need for Federated Identity Trust and
Business Models
- Technical issues for sharing identities are being
solved, but slowly - Trust is critical issue for deployment of
federated identity - Federated ID networks have strong need for trust
assurance standards - How robust are the identity verification
procedures? - How strong is this shared identity?
- How secure is the infrastructure?
- Common business rules are needed for federated
identity to scale - N2 bi-lateral trust relationships is not a
scalable business process - Common business rules are needed to define
- Trust assurance and credential strength
- Roles, responsibilities, of IDPs and relying
parties - Liabilities associated with use of 3rd party
credentials - Business relationship costs
- Privacy requirements for handling Personally
Identifiable Information (PII) - Federal e-Authentication Initiative will provide
trust framework to integrate (policy, technology,
business relationships) across disparate and
independent identity systems
12Multiple Authentication Assurance Levelsto meet
multiple risk levels
Increased Cost
Increased Need for Identity Assurance
13 e-Authentication Trust Model for Federated
Identity
1. Establish e-Authentication risk and assurance
levels (OMB M-04-04 Federal Policy Notice
12/16/03)
2. Establish standard methodology for
e-Authentication risk assessment (ERA) 2/04
4. Establish methodology for evaluating
credentials/providers on assurance criteria
(FBCA Credential Assessment Framework 11/03)
3. Establish technical standards for
e-Authentication systems (NIST Special Pub 800-63
Authentication Technical Guidance 6/04)
6. Establish common business rules for use of
trusted 3rd-party credentials (11/04)
5. Assess CSPs and maintain trust list of trusted
CSPs for govt-wide (and private sector) use 2/04
7. Test products and implementations for
interoperability (2/04)
14Federal Interoperability Lab
- Tests interoperability of products for
participation in e-Authentication architecture. - Conformance testing to Fed e-Authentication
Interface Specification - Interoperability testing among all approved
products - Currently 10 SAML 1.0 products on Approved
Product List. - See URL http//cio.gov/eauthentication
- Federal e-Authentication Program will adopt
additional schemes - SAML 2.0
- Liberty Alliance
- Shibboleth
- Protocol Translator is required for technical
architecture - Multiple protocol interoperability testing will
be very complex - Federal Government will operate Interoperability
lab until protocol/product convergence or
industry test lab is in place - Approved products list is publicly available.
15The Approach to a U.S. Federal PKI
- Agencies implement their own PKIs
- Create a Federal Bridge CA using COTS products to
bind Agency PKIs together - Establish a Federal PKI Policy Authority to
oversee operation of the Federal Bridge CA - Ensure directory compatibility
- Use ACES for transactions with the public
16A Snapshot of the U.S. Federal PKI
DOL PKI
DOD PKI
ACES PKI
Illinois PKI
NASA PKI
CANADA PKI
NFC PKI
Federal Bridge CA
Wells Fargo Bank
Treasury PKI
Higher Education Bridge CA
State Dept PKI
University PKI
University PKI
University PKI
17The Need for the Electronic Authentication
Partnership
Interoperability for
Commercial Trust Assurance Services
Federal Government
- Policy
- Authentication
- Assurance levels
- Credential Profiles
- Accreditation
- Business Rules
- Privacy Principles
IDP
IDP
IDP
State/Local Governments
Policy, Technical, Business Interoperability
-
- Technology
- Adopted schemes
- Common specs
- User Interfaces
- APIs
- Interoperable
- COTS products
- Authz support
RP
IDP
RP
RP
Industry
Common Business and Operating Rules
http//www.eapartnership.org/
18What is the EAP
- Multi-industry partnership creating a framework
for interoperable authentication - Plans to establish itself as a member-supported
organization, and complete framework in early
2005 - Goals
- Provide organizations with a straightforward
means of relying on digital credentials issued by
a variety of authentication systems - Eliminate or at least reduce the need for
organizations to establish bilateral agreements - Organizations would operate under common EAP rule
set, resulting in multilateral trust - In practice this means a federated approach
19What the EAP is doing now for ID Federation
Bi-lateral Agreements
IDP
SP/RP
Pair-wise Trust Model
SP/RP
IDP
Pair-wise Interface Spec and Products
SP/RP
IDP
Current State of Industry Bi-Lateral Pairs
IDP
IDP
IDP
Common Business Rules/Agreements Common Trust
Model Common Interface Specification Interoperable
Products
SP/RP
IDP
SP/RP
SP/RP
EAP Objective Multi-Party, Interoperable
Federation
20What the EAP envisions for ID Federation
IDP
EAP Common Business
Rules/Agreements Common Trust Models Common Basic
Interface Specifications Interoperable Products
IDP
IDP
Federation 1
IDP
SP/RP
SP/RP
SP/RP
IDP
IDP
IDP
Federation 3
IDP
SP/RP
IDP
SP/RP
IDP
SP/RP
SP/RP
Federation 2
SP/RP
SP/RP
EAP Vision Multiple, Interoperable Federations
SP/RP
SP/RP
21Homeland Security Presidential Directive/HSPD-12
FIPS 201 Personal Identity Verification Standard
22Homeland Security Presidential Directive/HSPD-12
(3) "Secure and reliable forms of identification"
for purposes of this directive means
identification that (a) is issued based on sound
criteria for verifying an individual employee's
identity (b) is strongly resistant to identity
fraud, tampering, counterfeiting, and terrorist
exploitation (c) can be rapidly authenticated
electronically and (d) is issued only by
providers whose reliability has been established
by an official accreditation process. The
Standard will include graduated criteria, from
least secure to most secure, to ensure
flexibility in selecting the appropriate level of
security for each application. The Standard shall
not apply to identification associated with
national security systems as defined by 44 U.S.C.
3542(b)(2). (4) Not later than 4 months
following promulgation of the Standard, the heads
of executive departments and agencies shall have
a program in place to ensure that identification
issued by their departments and agencies to
Federal employees and contractors meets the
Standard. As promptly as possible, but in no case
later than 8 months after the date of
promulgation of the Standard, the heads of
executive departments and agencies shall, to the
maximum extent practicable, require the use of
identification by Federal employees and
contractors that meets the Standard in gaining
physical access to Federally controlled
facilities and logical access to Federally
controlled information systems.
23Federal Personal Identification Verification
Standard
24For More Information
- Phone E-mail
- David Temoshok 202-208-7655 david.temoshok
_at_gsa.gov -
Websites http//cio.gov/eauthentication http//www
.eapartnership.org/ http//cio.gov/fpkipa http//c
io.gov/ficc