Identity Federations and the U.S. E-Authentication Architecture

Peter Alterman, Ph.D.

Assistant CIO, E-Authentication

National Institutes of Health

Agenda

Elements of US Federal Identity Federation

Inward-facing and outward-facing elements

Interfederation interoperability initiatives

The U.S. Federal Identity Framework IS:

A combination of policy and technology implemented to:Provide secure access to government

physical and logical resources

Provide secure mechanisms for citizens, businesses and other governments to transact business with the US Federal Government electronically

Implementation of U.S. Federal Identity Framework

Feds and on-site contractors get Common PKI token and medium assurance digital certificatesCommon Policy and common token facilitate interagency interoperability

AuthZ still a local responsibility

Federal Bridge enables cross-Agency interoperability outside the Common Policy (for waived entities)

Foundation Elements of FIF Policy-Driven

FICC Identity Management Framework DocumentOMB M-04-04 (LOA)NIST SP 800-63 (Risk)U.S. Federal Common Policy Framework CP (PKI)Federal Bridge CA CP (PKI)E-Authentication Risk Assessment SmartCard Standards (GSIS-compliance)E-Authentication Credential Assessment Framework (CAF)

E-Authentication Full Operational Capability (FOC) Architecture for Clients and Business Partners

Defines the way end users authenticate to online Agency ApplicationsBased on external standards.. Conservatively

SAML 1.0 profiles currentlyLiberty, Shibboleth, WS* SAML 1.x, 2.0 as COTS products become available

Credential Services Providers (electronic identity credential issuers) evaluated for LOA using standard methodology (CAF)Supports all authentication technologies

Interfederation Interoperability Initiatives

E-Authentication Partnership with private industry (next meeting October 25, 2004 in Broomfield, CO in conjunction with Digital ID World)E-Authentication – inCommon interoperability project to enable Shibboleth credentials to be used to access Agency Applications

Discussions afoot to incorporate a Federal Shibboleth Federation into the E-Authentication FOC to enhance bidirectional interoperability (Federal credentials used to access inCommon services)

I-CIDM (International Collaborative identity Management) Bridge to Bridge Interoperability Work Group (PKI)

E-Authentication Partnership

The Electronic Authentication Partnership (EAP) is the multi-industry partnership working on the vital task of enabling interoperability among public and private electronic authentication (e-authentication) systems. Interoperability of e-authentication systems is essential to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.

E-Authentication / inCommon Interoperability Project

Phases One and Two funded:Demonstrate technical interoperability between Shib and E-Auth FOC in the E-Auth Interoperability LabIdentify Policy and Practice convergence requirements for E-Auth and inCommonContribute to the B2B (PKI) discussions hosted by I-CIDM

International Collaborative Identity Management (I-CIDM) Forum

A Forum to clarify the current Federal policy and implementation of identity management (PKI) within and across collaborating organizations. The Society of British Aerospace Companies (SBAC), the UK Defence Manufacturers Association (DMA), and NACHA are also participating.Educate, assess and advise on CIDM policy, process and technology issues including strong identity management, data segregation management, PKI/PKE implementation, cross-certification, and commercial CA bridges.

Work to be Done

Policy alignment – key is that there be policies in federations and that they address Levels of Assurance of Identity (LOA)

Technical alignment – convergence on SAML 2.0 with and without X.509 digital certificates.

Sources

http://www.cio.gov/eauthentication

http://www.cio.gov/fbca

http://www.cio.gov/ficc

http://csrc.nist.gov

http://www.eapartnership.org/

http://www.afei.org/brochure/4af0/CIDMMeeting.cfm#purpose