1. Federated Identity and Interoperability: Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication Initiative Educause Net@EDU Annual Meeting February 7, 2005

2. 2 The E-Authentication Initiative Session Objectives  Provide status of ID Federation efforts in government and industry  Discuss key infrastructure needed for ID Federation  Discuss issues related to interoperability for ID Federation  Discuss Federal e-Authentication initiative infrastructure  Present the goals of the Electronic Authentication Partnership and how it facilitates identity federation

3. 3 The E-Authentication Initiative Background  Industry snapshot – federated identity Federated identity definition Agreements, standards, technologies that make identity and entitlements portable across loosely coupled, autonomous domains Standards and specifications Security Assertion Markup Language (SAML) 1.0, 1.1, 2.0 Liberty Alliance, Shibboleth, and Web services security Adoption Burton Group cites over 200 organizations implementing SAML plus other specifications, in multiple industries Vendors Multiple identity management and other vendors have implemented SAML and federated identity in COTS products Interoperability, trust, deployment still challenging

4. 4 The E-Authentication Initiative Identity Federation – Key Interoperability Needs Federation Communications (Technical Interoperability) Federation Business Relationships (Business Interoperability) Federation Trust (Policy Interoperability) Identity Federations extend beyond current peer-peer, bi-lateral agreements to build common infrastructure shared among multiple parties.

5. 5 The E-Authentication Initiative Federation Infrastructure Interoperable Technology (Communications) Determine intra-Federation communication architecture Administer common interface specifications, use cases, profiles Conduct interoperability testing ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services) Trust Establish common trust model Administer common identity management/authentication policies for Federation members Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution

6. 6 The E-Authentication Initiative President’s Management Agenda 1 st Priority: Make Government citizen-centered. 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration

7. 7 The E-Authentication Initiative Government to Govt.Internal Effectiveness and Efficiency 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management PMC E-Gov Agenda OPM GSA OPM GSA NARA Lead SSA HHS FEMA DOI FEMA Lead GSA Treasury DoED DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining Lead GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: eAuthentication GSA Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

8. 8 The E-Authentication Initiative The Starting Place for e-Authentication: Key Policy Points For Governmentwide deployment:  No National ID.  No National unique identifier.  No central registry of personal information, attributes, or authorization privileges.  Different authentication assurance levels are needed for different types of transactions. And for e-Authentication technical approach:  No single proprietary solution  Deploy multiple COTS products -- users choice  Products must interoperate together  Controls must protect privacy of personal information.

9. 9 The E-Authentication Initiative The Federal E-Authentication Service Credential Service Provider Agency Application Access Point Application User Step 3Step 2 Step 1 Step 1: At access point (portal, agency Web site or credential service provider) user selects agency application and credential provider (Discovery Portal) Step 2: User is redirected to selected credential service provider If user already possesses credential, user authenticates If not, user acquires credential and then authenticates Step 3: Credential service hands off authenticated user to the agency application user selected at the access point Discovery Portal

10. 10 The E-Authentication Initiative Governments Federal States/Local International Higher Education Universities Higher Education PKI Bridge Healthcare American Medical Association Patient Safetty Institute Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Central Issue with Federated Identity – Who do you Trust? E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Trust Network Financial Services Industry Home Banking Credit/Debit Cards Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels. 280 Million Americans Millions of Businesses State/local/global Govts

11. 11 The E-Authentication Initiative The Need for Federated Identity Trust and Business Models  Technical issues for sharing identities are being solved, but slowly  Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards How robust are the identity verification procedures? How strong is this shared identity? How secure is the infrastructure?  Common business rules are needed for federated identity to scale N 2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define: Trust assurance and credential strength Roles, responsibilities, of IDPs and relying parties Liabilities associated with use of 3 rd party credentials Business relationship costs Privacy requirements for handling Personally Identifiable Information (PII)  Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems

12. 12 The E-Authentication Initiative Factor Token Very High Medium Standard Low Employee Screening for a High Risk Job Obtaining Govt. Benefits Applying for a Loan Online Access to Protected Website Surfing the Internet Click-wrap Knowledge Pin/Password -Based PKI/ Digital Signature Multi- Increased $ Cost Increased Need for Identity Assurance Multiple Authentication Assurance Levels to meet multiple risk levels

13. 13 The E-Authentication Initiative e-Authentication Trust Model for Federated Identity 3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 6/04) 1. Establish e-Authentication risk and assurance levels (OMB M-04-04 Federal Policy Notice 12/16/03) 4. Establish methodology for evaluating credentials/providers on assurance criteria (FBCA & Credential Assessment Framework 11/03) 2. Establish standard methodology for e-Authentication risk assessment (ERA) 2/04 5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04 6. Establish common business rules for use of trusted 3rd-party credentials (11/04) 7. Test products and implementations for interoperability (2/04)

14. 14 The E-Authentication Initiative Federal Interoperability Lab  Tests interoperability of products for participation in e-Authentication architecture. Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products  Currently 10 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication  Federal e-Authentication Program will adopt additional schemes SAML 2.0 Liberty Alliance Shibboleth  Protocol Translator is required for technical architecture  Multiple protocol interoperability testing will be very complex  Federal Government will operate Interoperability lab until protocol/product convergence or industry test lab is in place  Approved products list is publicly available.

15. 15 The E-Authentication Initiative The Approach to a U.S. Federal PKI  Agencies implement their own PKIs  Create a Federal Bridge CA using COTS products to bind Agency PKIs together  Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge CA  Ensure directory compatibility  Use ACES for transactions with the public

16. 16 The E-Authentication Initiative University PKI University PKI University PKI A Snapshot of the U.S. Federal PKI NFC PKI Higher Education Bridge CA NASA PKI DOD PKI Illinois PKI CANADA PKI Federal Bridge CA ACES PKI Treasury PKI DOL PKI Wells Fargo Bank State Dept PKI

17. 17 The E-Authentication Initiative The Need for the Electronic Authentication Partnership State/Local Governments Industry Policy Authentication Assurance levels Credential Profiles Accreditation Business Rules Privacy Principles Technology Adopted schemes Common specs User Interfaces APIs Interoperable COTS products Authz support Federal Government Commercial Trust Assurance Services Policy, Technical, & Business Interoperability Common Business and Operating Rules IDP RP http://www.eapartnership.org/ Interoperability for:

18. 18 The E-Authentication Initiative What is the EAP Multi-industry partnership creating a framework for interoperable authentication Plans to establish itself as a member-supported organization, and complete framework in early 2005 Goals Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish bilateral agreements Organizations would operate under common EAP rule set, resulting in multilateral trust In practice this means a federated approach

19. 19 The E-Authentication Initiative What the EAP is doing now for ID Federation Current State of Industry: Bi-Lateral Pairs IDP SP/RP Bi-lateral Agreements Pair-wise Trust Model Pair-wise Interface Spec and Products EAP Objective: Multi-Party, Interoperable Federation IDP SP/RP Common Business Rules/Agreements Common Trust Model Common Interface Specification Interoperable Products

20. 20 The E-Authentication Initiative What the EAP envisions for ID Federation IDP SP/RP EAP Vision: Multiple, Interoperable Federations EAP Common Business Rules/Agreements Common Trust Models Common Basic Interface Specifications Interoperable Products Federation 1 Federation 2 Federation 3

21. 21 The E-Authentication Initiative Subject: Policy for a Common Identification Standard for Federal Employees and Contractors (1) Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). (2) To implement the policy set forth in paragraph (1), the Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard") not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies. Homeland Security Presidential Directive/HSPD-12 FIPS 201 Personal Identity Verification Standard

22. 22 The E-Authentication Initiative (3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2). (4) Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems. Homeland Security Presidential Directive/HSPD-12

23. 23 The E-Authentication Initiative Federal Personal Identification Verification Standard

24. 24 The E-Authentication Initiative For More Information Phone E-mail David Temoshok 202-208-7655david.temoshok@gsa.gov Websites http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa http://cio.gov/ficc