federal cio council information security and identity management committee idmanagement.gov...
TRANSCRIPT
Federal CIO CouncilInformation Security and Identity Management Committee
IDManagement.govIDManagement.gov
Externalizing Authentication
Federal ICAM Day
June 18, 2013
2
Phil Wenger, OMB Douglas Glair, USPS
Anil John, GSA (Moderator)
Panel Participants
3
Align Collaborate Enable
http://www.IDManagement.gov
Phil Wenger, OMB
Externalizing Authentication usingMAX Authentication as a Service (AaaS)
Phil Wenger, OMB
June 2013
ICAM Information Sharing Day and Vendor Expo
Key Takeaways
• Understand the MAX Ecosystem• Understand how Agencies can externalize
authentication using MAX’s Shared Credentialing, Provisioning, Authentication, and Authorization and Services
MAX.gov - A Complete Cloud Services Platform
Identity Management
& SSOCollaboration Analytics
Data Collections &
Surveys
Web MeetingsRemote
Desktops for Telework
Federated Search
Wiki & Web Content
Document Management
Social Networking &
Publishing
Government-wide
Directory
Enabling the “Shared First” and “Cloud First” eGov Policies
7
MAX AaaS provides Government-wide ID
Inter-agency
Government-to-Government
Intra-agency
Policymaking, Management and Budget class of activities
State, Local, International, and Non-Governmental Partners
Available for use by agencies for both cross-government and intra-agency activities
User accounts available for interactions with non-governmental partners in secure Enclaves
The Public
Plus state, local, international, & non-governmental partner users
What MAX AaaS Provides to Agencies
• Allow citizen access to agency websites using NSTIC or anonymous logins while enforcing admin access via MAX ID
• Use government-wide organic and organizational MAX groups for role-based access control and fine-grained permissions
Immediate Government-wide
Identity
• Use MAX PIV validation service to meet eGov policies (OMB M-11-11, M-10-28)
• Use MAX PIV to SAML gateway service to map 2-factor identity to agency logins or MAX ID
Rapid HSPD-12, DOD CAC PIV
Implementation
• Federate MAX Authentication with your Agency’s Active Directory
• Federate MAX Authentication with SAML 2.0 Single Sign-on (SSO)
Federation and Multi-Agency Single Sign-on
MAX AaaS Solution Benefits
Instant DeploymentCloud based, C&A’d
FIPS 199 FISMA ModerateMission-critical use
Low Total Cost of Ownership
No new software to build or license
Self-service delegated administration
Eases management burden
Dual authenticationAugments existing identities
Government-wide Directory
Automatically Maintained
MAX AaaS - Scope
Auto Registration for .gov, .mil
and other domains
85,000+
users
6,000+user
groups
Thousands of HSPD-12 users
from 90+
agencies
Federal, State, Local, International, and Non-government partner users
MAX AaaS – Multiple Login MethodsWeb Services that support HSPD-12 and ICAM SAML 2.0 Web Browser SSO Profile
http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf
Can be mapped to your agency ID
PIV validation and mapping service• Full path building,
validation, revocation checking
• Identity data extraction and normalization
Federate your agency Active Directory or SAML 2.0 instances
Choose between single-factor, dual-factor, or federated login
How Agencies have Externalized Authentication using MAX AaaS Today
MAX ID
MAX Apps
OtherApps
eGov Apps
Agency Apps
IT Dashboard, Data.Gov, Performance.Gov
DOJ CyberScope
BFEM
MAX A11, Apportionment
Adobe ConnectOnline Meetings
Wordpress
Drupal
Active Directory
BFELoB Organization and Contacts:Executive Sponsor: Courtney Timberlake, Assistant Dir. for Budget, OMB
Managing Partner: Tom Skelly, Director of Budget Service, Education
Policy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB
Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB
Program Management Office Lead: Mark Dronfield, Education
MAX Authentication Lead: Barry Napear, Budget Systems Branch, OMB
MAX Architect: Shahid Shah, Budget Systems Branch (CTR), OMB
Learn More about the Budget LoB: www.BudgetLoB.gov Visit MAX.gov: www.max.gov Contact the Budget LoB: [email protected] Contact MAX Support: 202 395-6860
13
MAX Authentication as a Service (AaaS)Sponsored by the Budget Formulation and Execution Line of Business (BFELoB)
BACKGROUND SLIDES
MAX AaaS: Full featured identity services
Self-Service Provisioning
Common Identity, Profile, and Directory
Self service registration and account management
Auto-provisioning for .gov, .mil, etc.
Identity assurance for Levels 2 and 3
Multi-factor Authentication
Single factor (user/password)
Multi factor(PIV/PIV-I/CAC)
Federated (SAML2, ADFS)
Machine2Machine (M2M)
Delegated Authorization
Group Management
Role Management
Delegated Administration
SAML
Self Service User Provisioning Process
User accepts MAX User Agreement
Email confirmation sent to user
MAX validates user’s email addressMAX checks sponsor requirement for outside users
User self registers on line at MAX portalhttps://max. gov
Agency user and his/her management defines need to access MAX (employee, contactor, partner)
Less than 5 minutes to get an account for “trusted domains”
Self or Managed Authorization Process
MAX notifies user and application administrators
MAX or delegated admin reviews access requests
User applies for application access via MAX portal
MAX assigns user to groups, communities and/or applications as authorized by user’s management
User and his/her management defines MAX application and role to access
MAX Identity Management (IDM) Services
AaaSJSON based
RESTful Web
ServicesIDM
Enhanced
Provides APIs for MAX Identities, Profiles, Groups, and Authorization data
MAX PIV Validation (PV) Services
Full Path Building,
Validation, Revocation Checking
Identity Data Extraction /
Normalization PVPKIF: The PKI Framework
Provides APIs for PIV/PIV-I/CAC validation and identity data extraction“Public” service available: https://pv.test.max.gov/
MAX PIV-to-SAML Translation Services
Perform MAX PIV
Validation
Map to MAX ID
Translate to SAML
Pass Assertion to
App
• Performs PIV validation, maps to MAX ID, then translates to SAML• Apps do not need to be aware of PIV validation details (they are
given assurance level as part of SAML assertion)
Agency AD/LDAP Integration (Federation)Supports ICAM SAML 2.0 Web Browser SSO Profile
http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf
MAX HSPD-12 Authentication Process
SSL/TLS
Apache Proxy
Apps
HSPD-12 Certificate
Internet
Identities Directory
Authenticate
1. User connects to MAX and receives Login Page2. User enters user/pass or inserts HSPD-12 card into reader and
selects PIV login3. For HSPD-12 login, browser establishes a TLS connection to Proxy,
and Proxy requests a certificate4. Browser extracts certificate from card and forwards it to Proxy5. Proxy forwards certificate to CAS6. CAS matches certificate against Identities Directory7. CAS extracts MAX ID and user profile information and prepares a
SAML assertion8. CAS "forwards" the SAML assertion to the application requesting
authentication (no certificates are exchanged)
2
1
5
6
7
4
8
3
23
Align Collaborate Enable
http://www.IDManagement.gov
Douglas Glair, USPS
Doug Glair – Manager, Digital Partnerships and Alliances – United States Postal Service
Federal Cloud Credential Exchange (FCCX)
Market Problem (Government)
The Solution(FCCX)
Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of interoperable credential usage by allowing agencies to securely interact with a
single “broker” to facilitate the authentication of consumers
• Creates a single interface between Agencies and IDPs
• Speeds up integration
• Reduces costs and complexity
• Requires Agencies to integrate with multiple Identity Service Providers (IDPs)
• Requires IDPs to integrate with multiple Agencies
Little or no confidence in asserted identity – self-assertion
Approved IdPs: Equifax, Google, PayPal,
Symantec, VeriSign, Verizon, Wave Systems, Virginia Tech
LOA 1
Very high confidence in asserted identity
Approved IdPs: PIV/ PIV-I Cards
LOA 4
Some confidence in asserted identity
Approved IdPs: Symantec, Verizon, Virginia
Tech
LOA 2 High confidence in asserted
identity
Approved IdPs: Symantec, Verizon
LOA 3
Complexity & Security
NIST Levels of Assurance (LOA)FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA)
defined by NIST and approved via the ICAM Trust Framework Solutions
FCCX Anticipated User Experience Flow
28
Align Collaborate Enable
http://www.IDManagement.gov