Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014.

Similar presentations


Presentation on theme: "1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014."— Presentation transcript:

1 1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014

2 2 2 What is Federated Identity? You trust an external partner organization to vet their users, issue local authentication tokens, assert user/system identities and privilege attributes, and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IdP), aka Claims Provider Your system relies on the identity credentials provided from the IdP to make access and authorization decisions. A Service Provider (SP), aka Relying Party IdPs and SPs have mutual technical and policy obligations to meet for participation in the Identity Federation

3 3 3 What is Federated Identity? You trust a 3 rd party or external partner organization to vet their users, issue local authentication tokens, assert user/system identity and privilege attributes and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IDP) aka Claims Provider Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. A Service Provider (SP) aka Relying Party IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Identity Federation. Justice XML Inside GFIPM Attributes Inside

4 4 4 Basic Concepts of GFIPM Data Service Provider Federation Identity Provider Assertion Authentication Response 4 Assertion Authentication Request 2 Data Service Response 5 Data Request 1 Data Requester Local Authentication 3 Local Access Policy Global FIPM User Assertion

5 5 5 Federation Terminology A Trusted Identity Provider (IdP) or Claims Provider – Vets, ID proofs users, authenticates users, issues Federated ID credentials, maintains user identity and privilege attributes Service Provider (SP) or Relying Party – Consumes Federated IDs and asserted attributes from IdPs and Attribute Authorities to make authorization decisions Attributes – Identification and Privilege Data Tags – Example: DMV-issued Drivers License Card lists Identification attributes such as Name, Sex, DOB, Address, with driving privilege attributes such as Commercial Truck license, Motorcycle license – GFIPM has a dictionary of defined Identity and Privilege Attributes Digitally Signed “Trust File” – contains the names, attributes, and certificates of each IdP and SP, which make up the set of Federation members (note: SAML metadata file)

6 6 6 Service Providers ( SP) Control Their Access Policy Rules SERVICE: TX Criminal Law Enforcement Reporting and Information System (CLERIS) ACCESS POLICY  Sworn Law Enforcement Officer Asserted  Criminal Investigative Search Privilege Asserted OR (Criminal Intel Search Privilege Asserted AND 28CFR Certification Asserted)  Identity Proofing Assurance Asserted and = NIST4  Electronic Identity Assurance Asserted and ≥ NIST3  Audit Attributes Provided* *First Name, Last Name, Phone Number, User Federation ID, Organization Name, Identity Provider, Address

7 7 7 Summary of Identity Federation Components 1.A process for establishing trust of electronic credentials and attributes issued by external partner or third-party organizations 2.Conformance to one or more technical Federation Standard(s) for conveying Federated IDs and attributes to one or more Service Providers (Relying Parties) (e.g. SAML Single Sign-on for Web Browsers) 3.Utilization of a common vocabulary of Identity and Privilege Attributes for assertion by IdPs (e.g. GFIPM metadata) 4.Service Providers (Relying Parties) defining the attributes they require to make access control decisions to their resource(s)

8 8 8 National Identity Exchange Federation Online at https://nief.gfipm.net/https://nief.gfipm.net/ National Identity Exchange Federation

9 9 9 NIEF is an Instance of the GFIPM Technical and Policy Standards and Guidance Authorized Set of Trusted Identity Providers (IdPs) An Authorized Set of Service Providers (SPs) IdPs and SPs Have Mutual Technical and Policy Obligations as Specified in the GFIPM Governance Policy Documentation All IdPs and SPs Must Undergo NIEF Formal Onboarding Process What is NIEF? National Information Exchange Federation (NIEF)

10 10 Formal Onboarding Test Suite Passed All Technical Interoperability Tests for Identity Provider (IDP)? - All interoperability tests are to be conducted in the GFIPM Reference Federation. - Use "PASSED" or "FAILED" for status. Also indicate test test date. Use "N/A" if not applicable. - See Section 6 of GFIPM Web Browser User-to-System Profile: - Note: IDPs are not required to be Internet accessible, so many of these tests may not be independently verifiable IDP is accessible via HTTPS (HTTP over TLS) only - NOT unencrypted HTTP. Spec requires TLS 1.0, but in practice TLS >1.0 is OK if required by IDPO's local security policy IDP's TLS cert is signed by a well-known CA. This is necessary for usability. If not, security warnings will appear in browsers IDP accepts AuthnAssertions via SAML HTTP POST or SAML HTTP Redirect binding. This is necessary to support "SP-Initiated" SSO IDP properly signs SAML SSO responses IDP properly signs SAML assertions IDP properly encrypts SAML assertions IDP properly uses SAML RelayState when posting SAML responses to SPs. - For solicited responses, this requires copying the RelayState as-is from the corresponding AuthnRequest. - For unsolicited responses, this is the destination URL at the SP IDP uses appropriate SAML NameID formats. Must use the NameID format requested in the AuthnRequest, OR the format specified in SAML Metadata (trust fabric), OR default to one of the SAML SSO profile's required formats IDP includes a SAML attribute statement in its SAML assertions. Rules pertaining to individual attributes in the attribute statement are enumerated below IDP asserts ALL of NIEF's "mandatory" attributes. - See GFIPM Metadata 2.0 NIEF Profile for mandatory attributes. (It's available for download on the NIEF Portal.) - Attribute names and attribute name types must BOTH be correct IDP asserts most or all of NIEF's "recommended" attributes. - See GFIPM Metadata 2.0 NIEF Profile for mandatory attributes. (It's available for download on the NIEF Portal.) - Enumerate all recommended attributes that are NOT asserted by the IDP.

11 11 Trusted IdP/SP Agreement Provide support for a Federated ID electronic credential with the broadest acceptance by multiple jurisdictions and organizations. – (Similar to the goals of a U.S. Passport or a state Drivers License credential) Provide technical interoperability testing/support with multiple Open Source and Commercial Federation software products. Maintain and Field Test GFIPM Technical/Management Standards – Backend Attribute Exchange (BAE) pilot testing – Attribute Authority access – OpenID Connect – REST/JSON standard for mobile application federated ID – FICAM alignment certification (optional) An operational Identity Federation for Federal, State, local Justice and Public Safety organizations and partners using a consistent process for onboarding IDP’s and SP’s. 11

12 12 Representative Federation Governance – Scope of governance is limited to ID and privilege mgmt issues and underlying inter-agency trust – Governance of federation services is outside scope Formal Application and Onboarding Processes Formal Interoperability Testing Process – Tests are done in a non-live “reference” federation “Federation Manager” Agency Provides Support for the Governance Process GFIPM Governance Model

13 13 GFIPM Governance Model

14 14 Federation Management Role Onboarding IdPs and SPs – Agreements / MOU for an IdP or SP – Review of Submitted Security Practices Documentation – Verification and Interoperability Testing of IdP/SP – Approval of IdP/SP Documentation and Documented Roles/Responsibilities for the IdP and SP per an Onboarding Federation Agreement Ongoing Maintenance – Monitor Online/Offline Status of IdP/SP – Publish New IdPs and SPs to Federation Directory of Services – Update Contact Information – Provide Help Desk Triage – Distribute Updates to “Crypto-Trust File” [new IdP/SP]

15 15 Federation Management Role (continued) If required, establish legal entity for signed IdP/SP agreements with the Federation – Define IdP/SP Audit Requirements – Define Dispute Resolution Process – Establish Liability Insurance – Define Process for Removing IdP/SP from “Crypto-Trust File”

16 16 Connecting to Federated Partners

17 17 RISS STATE & LOCAL Fusion Centers STATE & LOCAL Fusion Centers CJIS FBI Portal CJIS FBI Portal GFIPM Federation Secured Internet (https with mutual authentication) Secured Internet (https with mutual authentication) CONNECT PROJECT Alabama, Florida, Kansas, Nebraska, Tennessee, Utah, Wyoming CONNECT PROJECT Alabama, Florida, Kansas, Nebraska, Tennessee, Utah, Wyoming LA COUNTY CCHRS LA COUNTY CCHRS SAN DIEGO COUNTY ARJIS SAN DIEGO COUNTY ARJIS CISA Pennsylvania JNET Pennsylvania JNET

18 18 Provides Public-facing Info about NIEF Online – List of Current Members – Instructions for Prospective Members – Frequently Asked Questions – Contact Info Online at https://nief.gfipm.net/https://nief.gfipm.net/ 18 NIEF Website

19 19 System-to-System – SOA Use Case

20 20 GFIPM Web Services Model #1

21 21 GFIPM Web Services Model #2

22 22 Provide More Data for your User Base Provide your Data to a Larger User Base Reduce or Eliminate External System Access and Administration Secured System Data Exchange No Mandate, but Must Interoperate Single, Reusable Infrastructure and Security Framework for Secured National Sharing GFIPM Solutions Benefits

23 23 Cost-effective Solution Leverage Local Identity Management Systems and Policies (closest to the user) User Identity Information is Maintained in ONE Place with the Local Organization Identity Management System (IdP) User Authenticates once to Local IdP and Uses that Single Sign-on (SSO) to Gain Access to Multiple Authorized Federated Systems Federation System Using the Standard NIEM Justice Identity Credential – Integration is Simplified GFIPM Solutions Benefits

24 24 GFIPM Reference Federation Managed by GTRI for Interoperability Testing by all GFIPM Stakeholders Used by NIEF as Part of Onboarding Test Process prior to Live Onboarding Info available at GFIPM Implementation Portal – Info available at 24


Download ppt "1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014."

Similar presentations


Ads by Google