1. Federal e-Authentication Initiative: Federated Identity and Interoperability David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication Initiative August 20, 2004

2. 2 The E-Authentication Initiative President’s Management Agenda 1 st Priority: Make Government citizen-centered. 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration

3. 3 The E-Authentication Initiative Government to Govt.Internal Effectiveness and Efficiency 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management PMC E-Gov Agenda OPM GSA OPM GSA NARA Lead SSA HHS FEMA DOI FEMA Lead GSA Treasury DoEd DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining Lead GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: eAuthentication GSA Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

4. 4 The E-Authentication Initiative The Starting Place for e-Authentication: Key Policy Points For Governmentwide deployment:  No National ID.  No National unique identifier.  No central registry of personal information, attributes, or authorization privileges.  Different authentication assurance levels are needed for different types of transactions. And for e-Authentication technical approach:  No single proprietary solution  Deploy multiple COTS products -- users choice  Products must interoperate together  Controls must protect privacy of personal information.

5. 5 The E-Authentication Initiative Definitions  Identity Authentication—process of establishing confidence in claimed identity of users electronically presented to an information system.  Authorization—identifying a person’s user permissions to determine what he/she is allowed to do.  Attribute —a distinct characteristic of a user. Attributes describe a property associated with the user (e.g., age, height, eye color, religion, occupation, organizational role).

6. 6 The E-Authentication Initiative The E-Authentication Service Concept Credential Service Provider Agency Application Access Point Application User Step 3Step 2 Step 1 Step 1: At access point (portal, agency Web site or credential service provider) user selects agency application and credential provider Step 2: User is redirected to selected credential service provider If user already possesses credential, user authenticates If not, user acquires credential and then authenticates Step 3: Credential service hands off authenticated user to the agency application she selected at the access point

7. 7 The E-Authentication Initiative Governments Federal States/Local International Higher Education Universities Higher Education PKI Bridge Healthcare American Medical Association Patient Safetty Institute Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Central Issue with Federated Identity – Who do you Trust? E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Trust Network Financial Services Industry Home Banking Credit/Debit Cards Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.

8. 8 The E-Authentication Initiative The Need for Federated Identity Trust and Business Models  Technical issues for sharing identities are being solved, but slowly  Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards How robust are the identity verification procedures? How strong is this shared identity? How secure is the infrastructure?  Common business rules are needed for federated identity to scale N 2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define: Trust assurance and credential strength Roles, responsibilities, of IDPs and relying parties Liabilities associated with use of 3 rd party credentials Business relationship costs Privacy requirements for handling Personally Identifiable Information (PII)  Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems

9. 9 The E-Authentication Initiative Factor Token Very High Medium Standard Low Employee Screening for a High Risk Job Obtaining Govt. Benefits Applying for a Loan Online Access to Protected Website Surfing the Internet Click-wrap Knowledge Pin/Password -Based PKI/ Digital Signature Multi- Increased $ Cost Increased Need for Identity Assurance Multiple Authentication Assurance Levels to meet multiple risk levels

10. 10 The E-Authentication Initiative Authentication Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies establishes 4 authentication assurance levels NIST SP800-63 Electronic Authentication NIST technical guidance to match technology implementation to a level Level 4Level 3Level 2Level 1 Little or no confidence in asserted identity (e.g. self identified user/password) Some confidence in asserted identity (e.g. PIN/Password) High confidence in asserted identity (e.g. digital cert) Very high confidence in the asserted identity (e.g. Smart Card)

11. 11 The E-Authentication Initiative e-Authentication Trust Model for Federated Identity 3. Establish technical assurance standards for e-credentials and credential providers (NIST Special Pub 800-63 Authentication Technical Guidance) 1. Establish e-Authentication risk and assurance levels for Governmentwide use (OMB M-04-04 Federal Policy Notice 12/16/03) 4. Establish methodology for evaluating credentials/providers on assurance criteria (Credential Assessment Framework) 2. Establish standard methodology for e-Authentication risk assessment (ERA) 5. Establish trust list of trusted credential providers for govt-wide (and private sector) use 6. Establish common business rules for use of trusted 3rd-party credentials

12. 12 The E-Authentication Initiative e-Authentication Trust and Interoperability The e-Authentication Initiative acts as Trust Broker to provide Trust Assurance services for Fed Agencies Manages relations among Agency Applications (relying parties) and Credential Service Providers (issuers) Administers Authentication policy Framework Establishes and administers common business rules for the relationships among the parties Administers common interface specs Performs credential assessments Authorizes CSPs on trust list according to standardized assurance levels Provides C & A and regular audit & ensures compliance Trust Broker IDP AA IDP AA Common Policies & Business Rules Common Interface Specs Policy, Technical, & Business Interoperability

13. 13 The E-Authentication Initiative ©p©p CS AA x Step #1: User goes to Portal to select the AA and CS Portal AA x Step #2: The user is redirected to the selected CS with an AA identifier. The portal also cookies the user with their selected CS. Step #3: The CS authenticates the user and hands them off to the selected AA with their identity information. The CS also cookies the user as Authenticated. ©c©c Base Case AAs ECPs Users AuthZ Step #3: For Assurance levels 1 and 2, CSP will need to provide users’ common name + assurance level (at a minimum) to the AA. PII is protected in transmission through SOAP/SSL. e-Authentication Technical Interfaces – Base Case Step #1: No PII is presented to the portal, no transaction data is recorded, no system of records is maintained. Step #2: For Federal CSPs, no new PII is created. Users simply sign on using previously established processes with CSP (PIN, Password). PIN, Passwords are expressed only to CSP, not to e-Auth Portal or AA. Data/Information Flows

14. 14 The E-Authentication Initiative The Challenge - Interoperability Across Similar Products Trust Broker IDP RP IDP IDP/RP Policy, Technical, & Business Interoperability Multiple SAML 1.0 Products Technical interoperability can be assured only through testing that all products deployed in the Federation can interoperate Common Interface Spec Common Policies & Business Rules Product 1 Product 4 Product 3 Product 6 Product 5 Product 7 Product 2

15. 15 The E-Authentication Initiative Bigger Challenge - Interoperability Across Protocols Trust Broker IDP RP IDP IDP/RP IDP IDP/RP Protocol Translator Multiple SAML 1.0, 1.1, Liberty Products Interoperability testing becomes much more complex when multiple products and protocols are deployed across entities participating in the Federation(s) Multiple Interface Specs Common Policies & Business Rules SAML 1.0 Product SAML 1.1 Product SAML 1.0 Product SAML 1.1 Product SAML 1.1 Product LA SAML Product LA SAML Product

16. 16 The E-Authentication Initiative Federal Interoperability Lab  Tests interoperability of products for participation in e-Authentication architecture. Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products  Currently 5 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication  Federal e-Authentication Program will adopt additional schemes SAML 1.1, Saml 2.0 Liberty Alliance Shibboleth  Protocol Translator is required for technical architecture  Multiple protocol interoperability testing will be very complex  Federal Government will operate Interoperability lab until protocol/product convergence or industry test lab is in place  Approved products list is publicly available.

17. 17 The E-Authentication Initiative The Need for the Electronic Authentication Partnership State/Local Governments Industry Policy Authentication Assurance levels Credential Profiles Accreditation Business Rules Privacy Principles Technology Adopted schemes Common specs User Interfaces APIs Interoperable COTS products Authz support Federal Government Commercial Trust Assurance Services Policy, Technical, & Business Interoperability Common Business and Operating Rules IDP RP http://www.eapartnership.org/ Interoperability for:

18. 18 The E-Authentication Initiative For More Information Phone E-mail David Temoshok 202-208-7655david.temoshok@gsa.gov Websites http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa