Presentation is loading. Please wait.

Presentation is loading. Please wait.

Karyn Higa-Smith, DHS S&T Program Manager, Identity & Privacy Anil John, JHU/APL Technical Lead, DHS S&T IdM Testbed September 29, 2009 OASIS Identity.

Published byGilbert Pope Modified over 8 years ago

Similar presentations

Presentation on theme: "Karyn Higa-Smith, DHS S&T Program Manager, Identity & Privacy Anil John, JHU/APL Technical Lead, DHS S&T IdM Testbed September 29, 2009 OASIS Identity."— Presentation transcript:

1 Karyn Higa-Smith, DHS S&T Program Manager, Identity & Privacy Anil John, JHU/APL Technical Lead, DHS S&T IdM Testbed September 29, 2009 OASIS Identity Management 2009

2 Project Timeline Project Deliverables Project Guiding Principles Profile Information – Supported attribute exchange models – Metadata requirements COTS Vendor Support Next Steps Agenda 2

3 Meeting between DHS S&T and DoD DMDC to discuss IdM topics [Sept 2008] BAE PoC Project kick-off [Oct 2008] Project Team (DHS & DoD) tel-cons every two weeks Beta BAE reference implementations based on initial profile work [1Q09] Reference implementations & Profile v1.0 DRAFT [June 2009] Interoperability Testing Project Timeline 3

4 Profiles are not standards; they are built on top of existing standards Guidelines and tests for interoperability A set of named specifications at specific revision levels, together with a set of implementation and interoperability guidelines recommending how the specifications may be used to develop interoperable capabilities What is a “Profile”? 4

5 What is a BAE? - Backend Attribute Exchange (BAE) Agency A User w/ PIV Card Agency B Resource (Web Site / Application) Auth. Attribute Store 1 Auth. Attribute Store 2 Agency A Attribute Broker Agency B Attribute Broker 1.Agency A user needs access to or information from Agency B 3.Agency B needs “off-card” info to authorize User A to access resource. It “asks” its own Attribute Authority B 4.Agency B and Agency A communicate to exchange user information about User A The BAE codifies, at the Federal Level, the technical rules and protocols needed to exchange User Information between Agency A and Agency B 2.User A is Authenticated 5. 5

6 SAML V2.0 deployment profiles for BAE as well as informative information on lessons learned, implementation guidance and recommendations Proof-of-Concept BAE reference implementations, using synthetic data, stood up within the T&E environments of both DHS S&T and DoD DMDC to facilitate interoperability testing Test suites to verify BAE profile compliance Project Deliverables 6

7 Don’t reinvent the wheel! Leverage existing standards work (OASIS, W3C etc.) Keep the delta’s between existing standards and this work to the minimum & unclassified! Awareness of agency specific work (DOD JEDS, IC UAAS etc.) but focus on needs of the Inter-Agency Community (w/ future extensions to support the Non-Federal Community) Allow for future alternate subject identifiers w/o impacting protocol/security sections of profile Allow for ease of implementation/leverage via multiple approaches and technologies Support conformance testing Engage with COTS vendor community to encourage out of the box support for profile in products Project Guiding Principles 7

8 SAML Subject Profile - Federal Agency Smart Credential Number (FASC-N) 8 The value of the element MUST be the character representation of the FASC-N. The FASC-N character representation MUST be 32 characters in length and will not include character representations of the start sentinel, end sentinel, field separators and the LRC. The character representation MUST be in the order as shown in Fig 5 of the [PACS], excluding start and end sentinels, field separators and the LRC. Missing values MUST be filled with zero's if the value is unknown or not set.

9 BAE Profile Scope SAML Metadata (All BAEs) 1.Org EntityID 2.Encryption/Signing certificate 3.Supported Profiles/Attributes 4.Org BAE URL Supported BAE Model 1 – Direct Attribute Exchange Org A-1 Attribute Authority Org A-2 Attribute Authority Org B-1 Attribute Authority Org B-2 Attribute Authority Dept B BAE Broker Dept A BAE Broker SAML Metadata (All BAEs) 1.Org EntityID 2.Encryption/Signing certificate 3.Supported Profiles/Attributes 4.Org BAE URL SSL Communication secured per Org policy Attribute Requester System A Attribute Requester System B 9 BAE CA Issues X.509 Certs to BAEs Issues EntityIDs to BAEs CN of BAE Cert = EntityID Metadata Service

10 BAE Profile Scope SAML Metadata (All BAEs) 1.Org EntityID 2.Encryption/Signing certificate 3.Supported Profiles/Attributes 4.Org BAE URL Supported BAE Model 2 – Brokered Attribute Exchange Org A Attribute Authority Dept B BAE Broker Dept A BAE Broker SSL Communication secured per Org policy Attribute Requester System C Dept C BAE Svc Org C AA Org B Attribute Authority Communication secured per Org policy Attribute Requester System D Dept D BAE Svc Org D AA SAML Metadata (All BAEs) 1.Org EntityID 2.Encryption/Signing certificate 3.Supported Profiles/Attributes 4.Org BAE URL 10 BAE CA Issues X.509 Certs to BAEs Issues EntityIDs to BAEs CN of BAE Cert = EntityID Metadata Service

11 Metadata (SAML v2) – The Source of All Good Things! … Unique Identifier of BAE Broker (OC & OI) Signing & Encryption Certificates URL of BAE Broker Supported Subject Identifier Type(s) Digital Signature (AuthN & Integrity) 11

12 Metadata (SAML v2) – Cont’d … Supported Profile(s) Supported Attributes Contact Information 12

13 Web Services/SOA/XML Security – Layer 7 - http://www.layer7tech.com POC: Adam Vincent, Public Sector CTOhttp://www.layer7tech.com – Vordel - http://www.vordel.com POC: Mark O’Neill, CTOhttp://www.vordel.com Entitlement/Privilege Management (PDPs) – BiTKOO – http://www.bitkoo.com POC: Doron Grinstein, CEOhttp://www.bitkoo.com Federation – Covisint - http://www.covisint.com POC: Roger Lamberthttp://www.covisint.com Ongoing discussions with others… COTS Vendor Support - To Date 13

14 Federal CIO Council ICAMSC Federation Interoperability Working Group is currently working the following open issues: BAE CA & entityID assignment process – Recommendation: BAE certificate generation and entityID assignment managed by same entity – Recommendation: CN of Signing/Encryption Cert == entityID Metadata distribution and management – Centralized – Distributed Federation Agreement for BAE participants Next Steps 14

15 DHS Karyn Higa-Smith, DHS S&T Karyn.Higa-Smith@dhs.gov Deborah Gallagher, DHS OCIO Lauren Davis Anil John Christopher Obremski Thomas Smith Maria Vachino Chi Wu Points of Contact & Project Team DOD Lynne Prince, DOD DMDC Lynne.Prince@osd.pentagon.mil Darroll Love Larry Fobian Abhijit Jadeja Joseph Pini 15

16 16

Download ppt "Karyn Higa-Smith, DHS S&T Program Manager, Identity & Privacy Anil John, JHU/APL Technical Lead, DHS S&T IdM Testbed September 29, 2009 OASIS Identity."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org FiXs ® - Federated and Secure Identity Management in Operation Implementing.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
NCI Enterprise Security Program

NCI Enterprise Security Program
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.

Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
National Incident Management System. Homeland Security Presidential Directive – 5 Directed the development of the National Incident Management System.

National Incident Management System. Homeland Security Presidential Directive – 5 Directed the development of the National Incident Management System.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
1 1 Interoperating: MIT’s Fusion Center Prototype & JHU/APL’s Back End Attribute Exchange (Identity Management Testbed) January 2013.

1 1 Interoperating: MIT’s Fusion Center Prototype & JHU/APL’s Back End Attribute Exchange (Identity Management Testbed) January 2013.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
Biometric Access Control in TWIC Read Hardware and Card Application Specification Roger Roehr.

Biometric Access Control in TWIC Read Hardware and Card Application Specification Roger Roehr.
Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.

Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org.

The InCommon Federation The U.S. Access and Identity Management Federation

Similar presentations

Ads by Google