Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal CIO Council Information Security and Identity Management Committee Externalizing Authentication Federal ICAM Day June 18, 2013.

Similar presentations

Presentation on theme: "Federal CIO Council Information Security and Identity Management Committee Externalizing Authentication Federal ICAM Day June 18, 2013."— Presentation transcript:

1 Federal CIO Council Information Security and Identity Management Committee Externalizing Authentication Federal ICAM Day June 18, 2013

2 2 Phil Wenger, OMB Douglas Glair, USPS Anil John, GSA (Moderator) Panel Participants

3 3 Phil Wenger, OMB

4 Externalizing Authentication using MAX Authentication as a Service (AaaS) Phil Wenger, OMB June 2013 ICAM Information Sharing Day and Vendor Expo

5 Key Takeaways Understand the MAX Ecosystem Understand how Agencies can externalize authentication using MAXs Shared Credentialing, Provisioning, Authentication, and Authorization and Services

6 - A Complete Cloud Services Platform Identity Management & SSO CollaborationAnalytics Data Collections & Surveys Web Meetings Remote Desktops for Telework Federated Search Wiki & Web Content Document Management Social Networking & Publishing Government- wide Directory Enabling the Shared First and Cloud First eGov Policies

7 7 MAX AaaS provides Government-wide ID Inter-agency Government-to-Government Intra-agency Policymaking, Management and Budget class of activities State, Local, International, and Non-Governmental Partners Available for use by agencies for both cross-government and intra-agency activities User accounts available for interactions with non-governmental partners in secure Enclaves The Public Plus state, local, international, & non-governmental partner users

8 What MAX AaaS Provides to Agencies Allow citizen access to agency websites using NSTIC or anonymous logins while enforcing admin access via MAX ID Use government-wide organic and organizational MAX groups for role-based access control and fine-grained permissions Immediate Government- wide Identity Use MAX PIV validation service to meet eGov policies (OMB M-11-11, M-10-28) Use MAX PIV to SAML gateway service to map 2-factor identity to agency logins or MAX ID Rapid HSPD-12, DOD CAC PIV Implementation Federate MAX Authentication with your Agencys Active Directory Federate MAX Authentication with SAML 2.0 Single Sign- on (SSO) Federation and Multi-Agency Single Sign-on

9 MAX AaaS Solution Benefits Instant Deployment Cloud based, C&Ad FIPS 199 FISMA Moderate Mission-critical use Low Total Cost of Ownership No new software to build or license Self-service delegated administration Eases management burden Dual authentication Augments existing identities Government- wide Directory Automatically Maintained

10 MAX AaaS - Scope Auto Registration,.mil and other domains 120+ Agencies 300+ Bureaus 85,000+ users 6,000+ user groups Thousand s of HSPD- 12 users from 90+ agencies Federal, State, Local, International, and Non-government partner users

11 MAX AaaS – Multiple Login Methods Web Services that support HSPD-12 and ICAM SAML 2.0 Web Browser SSO Profile Can be mapped to your agency ID PIV validation and mapping service Full path building, validation, revocation checking Identity data extraction and normalization PIV validation and mapping service Full path building, validation, revocation checking Identity data extraction and normalization Federate your agency Active Directory or SAML 2.0 instances Choose between single-factor, dual-factor, or federated login

12 How Agencies have Externalized Authentication using MAX AaaS Today MAX ID MAX Apps Other Apps eGov Apps Agenc y Apps IT Dashboard, Data.Gov, Performance.Gov DOJ CyberScope BFEM MAX A11, Apportionment Adobe Connect Online Meetings Wordpress Drupal Active Directory

13 BFELoB Organization and Contacts: Executive Sponsor: Courtney Timberlake, Assistant Dir. for Budget, OMB Managing Partner: Tom Skelly, Director of Budget Service, Education Policy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB Program Management Office Lead: Mark Dronfield, Education MAX Authentication Lead: Barry Napear, Budget Systems Branch, OMB MAX Architect: Shahid Shah, Budget Systems Branch (CTR), OMB Learn More about the Budget LoB: Visit Contact the Budget LoB: Contact MAX Support: 202 13 MAX Authentication as a Service (AaaS) Sponsored by the Budget Formulation and Execution Line of Business (BFELoB)


15 MAX AaaS: Full featured identity services Self-Service Provisioning Common Identity, Profile, and Directory Self service registration and account management Auto-provisioning,.mil, etc. Identity assurance for Levels 2 and 3 Multi-factor Authenticatio n Single factor (user/password) Multi factor (PIV/PIV-I/CAC) Federated (SAML2, ADFS) Machine2Machine (M2M) Delegated Authorization Group ManagementRole ManagementDelegated AdministrationSAML

16 Self Service User Provisioning Process User accepts MAX User Agreement Email confirmation sent to user MAX validates users email address MAX checks sponsor requirement for outside users User self registers on line at MAX portal https://max. gov https://max. gov Agency user and his/her management defines need to access MAX (employee, contactor, partner) Less than 5 minutes to get an account for trusted domains

17 Self or Managed Authorization Process MAX notifies user and application administrators MAX or delegated admin reviews access requests User applies for application access via MAX portal MAX assigns user to groups, communities and/or applications as authorized by users management User and his/her management defines MAX application and role to access

18 MAX Identity Management (IDM) Services AaaS JSON based RESTful Web Services IDM Enhanced Provides APIs for MAX Identities, Profiles, Groups, and Authorization data

19 MAX PIV Validation (PV) Services Full Path Building, Validation, Revocation Checking Identity Data Extraction / Normalization PV PKIF: The PKI Framework Provides APIs for PIV/PIV-I/CAC validation and identity data extraction Public service available:

20 MAX PIV-to-SAML Translation Services Perform MAX PIV Validation Map to MAX ID Translate to SAML Pass Assertion to App Performs PIV validation, maps to MAX ID, then translates to SAML Apps do not need to be aware of PIV validation details (they are given assurance level as part of SAML assertion)

21 Agency AD/LDAP Integration (Federation) Supports ICAM SAML 2.0 Web Browser SSO Profile

22 MAX HSPD-12 Authentication Process SSL/TLS Apache Proxy Apps HSPD-12 Certificate Internet Identities Directory Authenticate 1.User connects to MAX and receives Login Page 2.User enters user/pass or inserts HSPD-12 card into reader and selects PIV login 3.For HSPD-12 login, browser establishes a TLS connection to Proxy, and Proxy requests a certificate 4.Browser extracts certificate from card and forwards it to Proxy 5.Proxy forwards certificate to CAS 6.CAS matches certificate against Identities Directory 7.CAS extracts MAX ID and user profile information and prepares a SAML assertion 8.CAS "forwards" the SAML assertion to the application requesting authentication (no certificates are exchanged) 2 2 1 1 5 5 6 6 7 7 4 4 8 8 3 3

23 23 Douglas Glair, USPS

24 Doug Glair – Manager, Digital Partnerships and Alliances – United States Postal Service Federal Cloud Credential Exchange (FCCX)

25 Market Problem (Government) Market Problem (Government) The Solution (FCCX) The Solution (FCCX) Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of interoperable credential usage by allowing agencies to securely interact with a single broker to facilitate the authentication of consumers Creates a single interface between Agencies and IDPs Speeds up integration Reduces costs and complexity Requires Agencies to integrate with multiple Identity Service Providers (IDPs) Requires IDPs to integrate with multiple Agencies

26 Little or no confidence in asserted identity – self- assertion Approved IdPs: Equifax, Google, PayPal, Symantec, VeriSign, Verizon, Wave Systems, Virginia Tech LOA 1 Very high confidence in asserted identity Approved IdPs: PIV/ PIV-I Cards LOA 4 Some confidence in asserted identity Approved IdPs: Symantec, Verizon, Virginia Tech LOA 2 High confidence in asserted identity Approved IdPs: Symantec, Verizon LOA 3 Complexity & Security NIST Levels of Assurance (LOA) FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA) defined by NIST and approved via the ICAM Trust Framework Solutions

27 FCCX Anticipated User Experience Flow

28 28

Download ppt "Federal CIO Council Information Security and Identity Management Committee Externalizing Authentication Federal ICAM Day June 18, 2013."

Similar presentations

Ads by Google