Federal e-Authentication Initiative: Federated Identity and Interoperability David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication Initiative August 20, 2004
Federal e-Authentication Initiative:Federated Identity and Interoperability
David Temoshok Director, Identity Policy and Management
GSA Office of Governmentwide Policy
The E-Authentication Initiative
August 20, 2004
2The E-Authentication Initiative
President’s Management Agenda
• 1st Priority: Make Government citizen-centered.
• 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration
3The E-Authentication Initiative
Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks
1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management
PMC E-Gov Agenda
OPMOPMOPMGSAOPMOPMGSANARA
LeadSSAHHS
FEMA
DOI
FEMA
Lead
GSATreasuryDoEdDOILabor
Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining
Lead GSAEPA
Treasury
HHS
SBADOC
Cross-cutting Infrastructure: eAuthentication GSA
Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online
4The E-Authentication Initiative
The Starting Place for e-Authentication: Key Policy Points
For Governmentwide deployment:
No National ID.
No National unique identifier.
No central registry of personal information, attributes, or authorization privileges.
Different authentication assurance levels are needed for different types of transactions.
And for e-Authentication technical approach:
No single proprietary solution
Deploy multiple COTS products -- users choice
Products must interoperate together
Controls must protect privacy of personal information.
5The E-Authentication Initiative
Definitions
Identity Authentication—process of establishing confidence in claimed identity of users electronically presented to an information system.
Authorization—identifying a person’s user permissions to determine what he/she is allowed to do.
Attribute —a distinct characteristic of a user. Attributes describe a property associated with the user (e.g., age, height, eye color, religion, occupation, organizational role).
6The E-Authentication Initiative
The E-Authentication Service Concept
Credential Service Provider
Agency ApplicationAccess Point
Application User
Step 3Step 2Step 1
Step 1:
At access point (portal, agency Web site or credential service provider) user selects agency application and credential provider
Step 2:
•User is redirected to selected credential service provider
•If user already possesses credential, user authenticates
•If not, user acquires credential and then authenticates
Step 3:
Credential service hands off authenticated user to the agency application she selected at the access point
7The E-Authentication Initiative
GovernmentsFederal
States/LocalInternational
Higher EducationUniversities
Higher EducationPKI Bridge
HealthcareAmerican Medical Association
Patient Safetty Institute
Travel Industry AirlinesHotels
Car RentalTrusted Traveler Programs
Central Issue with Federated Identity – Who do you Trust?
E-Commerce Industry ISPs
Internet AccountsCredit Bureaus
eBay
Trust Network
Financial Services IndustryHome Banking
Credit/Debit Cards
Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.
8The E-Authentication Initiative
The Need for Federated Identity Trust and Business Models
Technical issues for sharing identities are being solved, but slowly
Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards
• How robust are the identity verification procedures?• How strong is this shared identity? • How secure is the infrastructure?
Common business rules are needed for federated identity to scale N2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define:
• Trust assurance and credential strength• Roles, responsibilities, of IDPs and relying parties• Liabilities associated with use of 3rd party credentials• Business relationship costs• Privacy requirements for handling Personally Identifiable Information (PII)
Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems
9The E-Authentication Initiative
Factor Token
Very High
High
Medium
StandardLow
Employee Screening for a High Risk Job
Obtaining Govt.
Benefits
Applying for a Loan
Online
Access to Protected Website
Surfing the Internet
Click-wrap
Knowledge
Pin/Password
-Based
PKI/ Digital Signature
Multi-
Incre
ase
d $
Cost
Increased Need for Identity Assurance
Multiple Authentication Assurance Levelsto meet multiple risk levels
10The E-Authentication Initiative
Authentication Assurance Levels
M-04-04:E-Authentication Guidance for Federal Agencies establishes 4 authentication
assurance levels
NIST SP800-63 Electronic Authentication NIST technical guidance to match technology
implementation to a level
Level 4Level 3Level 2Level 1
Little or no confidence in
asserted identity (e.g. self identified
user/password)
Some confidence in asserted
identity (e.g. PIN/Password)
High confidence in asserted identity (e.g. digital cert)
Very high confidence in the asserted identity (e.g. Smart Card)
11The E-Authentication Initiative
e-Authentication Trust Model for Federated Identity
3. Establish technical assurance standards for e-credentials and credential providers (NIST Special Pub 800-63 Authentication Technical Guidance)
1. Establish e-Authenticationrisk and assurance levels for Governmentwide use(OMB M-04-04 Federal Policy Notice 12/16/03)
4. Establish methodology for evaluating credentials/providers on assurance criteria (Credential Assessment Framework)
2. Establish standard methodology for e-Authentication riskassessment (ERA)
5. Establish trust list of trusted credential providers for govt-wide (and private sector) use
6. Establish common business rules for use of trusted 3rd-party credentials
12The E-Authentication Initiative
e-Authentication Trust and Interoperability
The e-Authentication Initiative acts as Trust Broker to provide Trust Assurance services for Fed Agencies
• Manages relations among Agency Applications (relying parties) and Credential Service Providers (issuers)
• Administers Authentication policy Framework
• Establishes and administers common business rules for the relationships among the parties
• Administers common interface specs• Performs credential assessments• Authorizes CSPs on trust list according
to standardized assurance levels• Provides C & A and regular audit &
ensures compliance
TrustBroker
IDP
AA
AAAA
IDP
IDP
IDP
IDPAA
Common Policies &Business Rules
Common Interface Specs
Policy, Technical, & BusinessInteroperability
13The E-Authentication Initiative
©p
CS
AAx
Step #1: User goes to Portal to select the AA and CS
Portal
AAx
Step #2: The user is redirected to the selected CS with an AA identifier. The portal also cookies the user with their selected CS.
Step #3: The CS authenticates the user and hands them off to the selected AA with their identity information. The CS also cookies the user as Authenticated.
©c
Base Case
AAsECPs
Users
AuthZ
Step #3: For Assurance levels 1 and 2, CSP will need to provide users’ common name + assurance level (at a minimum) to the AA. PII is protected in transmission through SOAP/SSL.
e-Authentication Technical Interfaces – Base Case
Step #1: No PII is presented to the portal, no transaction data is recorded, no system of records is maintained.
Step #2: For Federal CSPs, no new PII is created. Users simply sign on using previously established processes with CSP (PIN, Password). PIN, Passwords are expressed only to CSP, not to e-Auth Portal or AA.
Data/Information Flows
14The E-Authentication Initiative
The Challenge - Interoperability Across Similar ProductsTrust
Broker
IDP
RPRP
IDP
IDP
IDP
IDP/RP
Policy, Technical, & BusinessInteroperability
Multiple SAML 1.0 Products
Technical interoperability can be assured only through testing that allproducts deployed in the Federation can interoperate
Common Interface Spec
Common Policies &Business Rules
Product 1
Product 4
Product 3
Product 6
Product 5
Product 7
Product 2
15The E-Authentication Initiative
Bigger Challenge - Interoperability Across Protocols
TrustBroker
IDP
RPRP
IDP
IDP/RP
IDP
IDP/RP
Protocol Translator
Multiple SAML 1.0, 1.1, Liberty Products
Interoperability testing becomes much more complex when multiple products and protocols are deployed across entities participating in the Federation(s)
Multiple Interface Specs
Common Policies &Business Rules
SAML 1.0Product
SAML 1.1Product
SAML 1.0Product
SAML 1.1Product
SAML 1.1Product
LA SAMLProduct
LA SAML Product
16The E-Authentication Initiative
Federal Interoperability Lab
Tests interoperability of products for participation in e-Authentication architecture.
Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products
Currently 5 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication
Federal e-Authentication Program will adopt additional schemes SAML 1.1, Saml 2.0 Liberty Alliance Shibboleth
Protocol Translator is required for technical architecture
Multiple protocol interoperability testing will be very complex
Federal Government will operate Interoperability lab until protocol/product convergence or industry test lab is in place
Approved products list is publicly available.
17The E-Authentication Initiative
The Need for the Electronic Authentication PartnershipThe Need for the Electronic Authentication Partnership
State/Local Governments
Industry
Policy• Authentication
• Assurance levels
• Credential Profiles
• Accreditation
• Business Rules
• Privacy Principles
Technology• Adopted schemes
• Common specs
• User Interfaces
• APIs
• Interoperable
COTS products
• Authz support
Federal Government Commercial Trust Assurance Services
Policy, Technical, & Business Interoperability
Common Business and Operating Rules
IDP
IDP
IDP
IDP
RP RP
RP
http://www.eapartnership.org/
Interoperability for:
18The E-Authentication Initiative
For More Information
Phone E-mail David Temoshok 202-208-7655 [email protected]
Websiteshttp://cio.gov/eauthenticationhttp://www.eapartnership.org/
http://cio.gov/fpkipa