1 / 28

Externalizing Authentication

Externalizing Authentication. Federal ICAM Day June 18, 2013. Panel Participants. Phil Wenger, OMB Douglas Glair, USPS Anil John, GSA (Moderator). Phil Wenger, OMB. ICAM Information Sharing Day and Vendor Expo.

nishi
Download Presentation

Externalizing Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Externalizing Authentication Federal ICAM Day June 18, 2013

  2. Panel Participants • Phil Wenger, OMB • Douglas Glair, USPS • Anil John, GSA (Moderator)

  3. Phil Wenger, OMB

  4. ICAM Information Sharing Day and Vendor Expo Externalizing Authentication usingMAX Authentication as a Service (AaaS)Phil Wenger, OMB June 2013

  5. Key Takeaways • Understand the MAX Ecosystem • Understand how Agencies can externalize authentication using MAX’s Shared Credentialing, Provisioning, Authentication, and Authorization and Services

  6. MAX.gov - A Complete Cloud Services Platform Enabling the “Shared First” and “Cloud First” eGov Policies

  7. MAX AaaS provides Government-wide ID Plus state, local, international, & non-governmental partner users Government-to-Government Inter-agency Intra-agency Policymaking, Management and Budget class of activities State, Local, International, and Non-Governmental Partners The Public • Available for use by agencies for both cross-government and intra-agency activities • User accounts available for interactions with non-governmental partners in secure Enclaves

  8. What MAX AaaS Provides to Agencies

  9. MAX AaaS Solution Benefits

  10. MAX AaaS - Scope Federal, State, Local, International, and Non-government partner users

  11. MAX AaaS – Multiple Login Methods Web Services that support HSPD-12 and ICAM SAML 2.0 Web Browser SSO Profile Choose between single-factor, dual-factor, or federated login • PIV validation and mapping service • Full path building, validation, revocation checking • Identity data extraction and normalization Can be mapped to your agency ID Federate your agency Active Directory or SAML 2.0 instances http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf

  12. How Agencies have Externalized Authentication using MAX AaaS Today MAX A11, Apportionment BFEM Adobe Connect Online Meetings Wordpress Drupal Active Directory DOJ CyberScope IT Dashboard, Data.Gov, Performance.Gov

  13. MAX Authentication as a Service (AaaS) Sponsored by the Budget Formulation and Execution Line of Business (BFELoB) BFELoB Organization and Contacts: Executive Sponsor: Courtney Timberlake, Assistant Dir. for Budget, OMB Managing Partner: Tom Skelly, Director of Budget Service, Education Policy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB Program Management Office Lead: Mark Dronfield, Education MAX Authentication Lead: Barry Napear, Budget Systems Branch, OMB MAX Architect: Shahid Shah, Budget Systems Branch (CTR), OMB Learn More about the Budget LoB: www.BudgetLoB.gov Visit MAX.gov: www.max.gov Contact the Budget LoB:BudgetLoB@Ed.govContact MAX Support: 202 395-6860

  14. Background Slides

  15. MAX AaaS: Full featured identity services

  16. Self Service User Provisioning Process Less than 5 minutes to get an account for “trusted domains”

  17. Self or Managed Authorization Process

  18. MAX Identity Management (IDM) Services Provides APIs for MAX Identities, Profiles, Groups, and Authorization data Enhanced

  19. MAX PIV Validation (PV) Services Provides APIs for PIV/PIV-I/CAC validation and identity data extraction “Public” service available: https://pv.test.max.gov/ PKIF: The PKI Framework

  20. MAX PIV-to-SAML Translation Services • Performs PIV validation, maps to MAX ID, then translates to SAML • Apps do not need to be aware of PIV validation details (they are given assurance level as part of SAML assertion)

  21. Agency AD/LDAP Integration (Federation) Supports ICAM SAML 2.0 Web Browser SSO Profile http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf

  22. MAX HSPD-12 Authentication Process HSPD-12 Certificate 1 4 Internet 2 3 SSL/TLS Apache Proxy User connects to MAX and receives Login Page User enters user/pass or inserts HSPD-12 card into reader and selects PIV login For HSPD-12 login, browser establishes a TLS connection to Proxy, and Proxy requests a certificate Browser extracts certificate from card and forwards it to Proxy Proxy forwards certificate to CAS CAS matches certificate against Identities Directory CAS extracts MAX ID and user profile information and prepares a SAML assertion CAS "forwards" the SAML assertion to the application requesting authentication (no certificates are exchanged) 5 Apps 7 Identities Directory 6 8 Authenticate

  23. Douglas Glair, USPS

  24. Federal Cloud Credential Exchange (FCCX) Doug Glair – Manager, Digital Partnerships and Alliances – United States Postal Service

  25. Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of interoperable credential usage by allowing agencies to securely interact with a single “broker” to facilitate the authentication of consumers Market Problem (Government) The Solution (FCCX) • Requires Agencies to integrate with multiple Identity Service Providers (IDPs) • Requires IDPs to integrate with multiple Agencies • Creates a single interface between Agencies and IDPs • Speeds up integration • Reduces costs and complexity

  26. NIST Levels of Assurance (LOA) FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA) defined by NIST and approved via the ICAM Trust Framework Solutions LOA 1 LOA 4 LOA 3 • Very high confidence in asserted identity • Approved IdPs: • PIV/ PIV-I Cards • Little or no confidence in asserted identity – self-assertion • Approved IdPs: • Equifax, Google, PayPal, Symantec, VeriSign, Verizon, Wave Systems, Virginia Tech • High confidence in asserted identity • Approved IdPs: • Symantec, Verizon Complexity & Security LOA 2 • Some confidence in asserted identity • Approved IdPs: • Symantec, Verizon, Virginia Tech

  27. FCCX Anticipated User Experience Flow

More Related