Title: eAuthentication Initiative Pre-Implementation Status
1- eAuthentication Initiative Pre-Implementation
Status - eGovernment Program
2Agenda
- eAuthentication Overview
- USDA eAuthentication Solution Components
- Agency Integration Responsibilities
- eAuthentication Costs and Resources
- Questions and Answers
3What is eAuthentication?
- Customer interactions with USDA, also called
transactions, will be transformed to allow
customer submission through electronic means - For many interactions, the identity of the person
submitting the data needs to be known, either to
enable an electronic signature of the form or
data, or for informational purposes - eAuthentication encompasses the processes and
technology that identify a person electronically
and present that information to the application
that is accepting the users data submission - eAuthentication in the current phase will only
support interactions that are presented in a web
format over the Internet
4eAuthentication Needs
Of the 736 interactions scheduled for GPEA
compliance for October 2003, 639 require
eAuthentication. 57 of these have been completed
in the Online Impact Assessment Tool.
35 (61) out of the 57 in-scope interactions
require Level 2 Authentication. Currently, USDA
eAuthentication supports Level 1 and Level 2
authentication.
Authentication Levels define the credibility
necessary to support a persons identification.
The higher authentication level, the more
information is needed to validate a person is who
they say they are
5eAuthentication Schedule
- Continue eAuthentication communications in the
form of postcards, presentations and integration
documentation - Present the Costing Model to Agencies for
eAuthentication by July 25, 2003 - Distribute the Agency Guidebook by July 25, 2003
- Road map and details for integrating Agency
Applications - Begin Implementation on July 28, 2003
- WebCAAF Expansion, Directory Services, Identity
Management, User Registration - Initiate GSA Gateway Integration Proof-of-Concept
in August 2003 - Provide Integration Planning assistance beginning
August 2003 - Begin integration of applications in September
2003 - GPEA Deadline is October 21, 2003
6Agenda
- eAuthentication Overview
- USDA eAuthentication Solution Components
- Agency Integration Responsibilities
- eAuthentication Costs and Resources
- Questions and Answers
7USDA eAuthentication Solution Components
The USDA eAuthentication solution encompasses
four main components
USDA eAuthentication Solution
Technical Solution
Identity and Access Management
Presidential Initiative (GSA Gateway)
Registration Process
8USDA eAuthentication Solution Components
Technical Solution
- Enforcer web agent installed on the agencys
web server to perform authentication.
Communicates with central authentication system
in Web Farm - Web Farm secure, redundant hosting facility
that hosts the USDA eAuthentication solution - Firewall Stack set of network and security
devices that protects the USDA network from the
Internet. The Web Farm Firewall Stack is part of
the USDA eAuthentication CA - User Stores central USDA user store.
Maintains information about the user that is
common across agencies. Agency-specific user
stores maintain more detailed information if
needed - Policy Server and Policy Store core
components of the USDA authentication solution.
Ties together enforcers and user stores through
policies
Enforcer
www.xyz.usda.gov
Enforcer
Internet
ALTERNATIVE HOSTING FACILITY
www.abc.gov/form1
Router
Switch
FIREWALL
INTERNET
INTRANET
Router
Switch
USDA Network
WEB FARMS
9USDA eAuthentication Solution Components
Identity and Access Management
- Password Services
- Enforcement of strong password standards and
allow password maintenance such as password
changes, password expiration, etc - Self Services
- Administration of user information without
calling the USDA help desk. This is
non-authentication information such as the users
phone number and username, not information about
the users relationship with the agency or his
permission to access certain web applications - Delegated Administration
- Administration access to the central user store
to establish users access to agencys
applications - Help Desk
- Assistance with authentication related issues
such as password resets, directions to a
registration center etc. The USDA Help Desk is
not able to help with application-specific
questions. Agencies must provide contact
information for application-specific problems
10USDA eAuthentication Solution Components
Registration Process
- Self Service Registration for Level 1 Assurance
- Registration for the most basic form of
authentication, not a strong indicator of the
users actual identity since it relies on
information from the user, but is useful in some
settings such as web site personalization - Identification Proofing for Higher Levels
- Validation of identity by a Local Registration
Authority. Currently this identity-proofing must
be done in-person - Service Center or other Local Registration
Authorities - Agency-specific Authorization Profile Creation
- Authorization of a which users may access their
applications. Each agency may create a set of
conditions based on the common user information
that is collected or may create web pages to
collect additional information.
11USDA eAuthentication Solution Components
Presidential Initiative (GSA Gateway)
- The GSA Gateway is the Presidential Initiative
solution for eAuthentication. USDAs integration
approach is to create a single point of
integration with the GSA Gateway, through the
USDA eAuthentication solution. - The USDA eAuthentication solution and GSA Gateway
integration will occur once the Gateway is
complete - An integration proof-of-concept is planned for
August, 2003 - Applications will integrate with the USDA
eAuthentication solution, which will connect to
the GSA Gateway, so each agency application will
not have to be integrated separately with the GSA
Gateway - Upon completion, Agency applications will receive
the benefits of the GSA Gateway
USDA eAuthentication
Agency Web Servers
USDA Logon Servers
Internet
GSA Gateway
ECP
ECP
ECP
12Agenda
- eAuthentication Overview
- USDA eAuthentication Solution Components
- Agency Integration Responsibilities
- eAuthentication Costs and Resources
- Questions and Answers
13Agency Integration Responsibilities
October
September
August
July
eForms System Test
eForms System Go-Live
Design eForms System
Build eForms System
ID 03 Funding
ID 04 Funding
Process OMB Approvals
Develop On-Line Alternatives Communications plan
Publish Communications
Confirm GPEA Functional Team
Create Technical Design for eAuth components
Request eRecords Disposition Authority
Build Technical eAuth components
Confirm GPEA Technical Team
Certify LRA process
Implement eAuth Registration Components
Design eAuth Registration Components
Train LRAs
Select Forms tool(s)
Train Agency Admins
Implement eAuth Identity Access Management
Components
Design eAuth Identity Access Management
Components
ID GPEA-Compliant Interactions
Oct 21 GPEA Deadline
Build Coordination Meetings
Production Readiness
eForms/eAuth Design Meetings
Test/Certification Meetings
Complete Authentication Impact Profile Assessment
14Agency Integration Responsibilities
Technical Solution
- Create web application on supported web server
- Assist in installation of web enforcer
- Decide what user information your agency
applications need to receive from the central
user store in the form of header variables - Give eAuthentication team information to
integrate new enforcer into eAuthentication
system - Build web pages to collect any additional user
information for authorization
Test Environments
OCIO
OCIO
OCIO
Agency
Identity Management Services Pages
Web Farm Hosting Environment
15Agency Integration Responsibilities
Identity and Access Management
- Build a process to decide whether a user should
be allowed to access your agencys applications - If that process requires any user information
that is not collected by the central registration
procedure, build authorization registration web
pages to collect this information (including
company representation) - Designate and train agency administrators to
authorize users in the eAuthentication system
for agency applications - Maintain a list of customer/company
representative relationships - Map USDA Customer IDs to Agency Customer IDs
Password Services
User Self-Administration
Delegated Administration
OCIO
OCIO
Identity Management Services Pages
User Stores
Help Desk
Authorization Processes and Role Definition
Agency
Users
Authorization Pages
User Stores
16Agency Integration Responsibilities
Registration Process
- Determine if Service Centers will provide Local
Registration Authority (LRA) services for your
user population - If not, create identity proofing processes and
training for your LRAs following USDA standards - Communicate registration processes and
requirements to your users
Level 1 Self-Registration
Email Verification
Level 2 LRA Registration
Service Center Agencies
OCIO
Authentication Registration Pages
Agency-Specific LRAs
Identity Proofing Procedure
User Stores
Agency
Level 1 Self Registration
Users
Agency-Specific LRAs
Level 2 In-Person Registration
Identity Proofing Procedure
17Agency Integration Responsibilities
Presidential Initiative (GSA Gateway)
- Integrate with USDA eAuthentication solution
- Alert USDA eAuthentication team of any
applications/interactions that require higher
levels of credentials than the eAuthentication
passwords (through the online tool) - Work with eAuthentication team to identify
sources of credentials from GSA Gateway providers
USDA eAuthentication
OCIO
Agency Web Servers
USDA Logon Servers
Internet
GSA Gateway
ECP
ECP
ECP
18Agenda
- eAuthentication Overview
- USDA eAuthentication Solution Components
- Agency Integration Responsibilities
- eAuthentication Costs and Resources
- Questions and Answers
19eAuthentication Costs
- The fixed and variable costs for the
eAuthentication initiative are broken out as
follows - Cost distribution calculations/algorithms need to
be created quickly, any suggestions on how the
cost should be allocated?
FY 2003 Total Costs 1,550,000
FY 2004 Total Costs 5,700,000
FY 2004 Variable Costs 1,525,000
FY 2004 Fixed Costs 4,175,000
20eAuthentication Resource Needs
- USDA eAuthentication Solution Team
- Technical Services Team
- Integration Team
- Agency Solution Team
- Integration Team
- Business process and user communities expertise
- Technical Team
- Developers representing the Agency application
21Agenda
- eAuthentication Overview
- USDA eAuthentication Solution Components
- Agency Integration Responsibilities
- eAuthentication Costs and Resources
- Questions and Answers
22Questions and Answers
23For More Information
For more information on the eAuthentication
Initiative, please review the eAuthentication
Frequently Asked Questions on the eGovernment
site http//www.egov.usda.gov/resources/teamspace
/team_resources.html Please contact the
eGovernment team for username and password.