GFIPM Enabling Federated Identity and Single Sign-on. John Ruegg LA County Information Systems Advisory Body. June 11, 2014. What is Federated Identity?.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014
What is Federated Identity? • You trust an external partner organization to vet their users, issue local authentication tokens, assert user/system identities and privilege attributes, and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IdP), aka Claims Provider • Your system relies on the identity credentials provided from the IdP to make access and authorization decisions. A Service Provider (SP), aka Relying Party • IdPs and SPs have mutual technical and policy obligations to meet for participation in the Identity Federation
What is Federated Identity? • You trust a 3rd party or external partner organization to vet their users, issue local authentication tokens, assert user/system identity and privilege attributes and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IDP) aka Claims Provider • Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. A Service Provider (SP) aka Relying Party • IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Identity Federation. Justice XML GFIPM Attributes Inside Inside
Global FIPM User Assertion Local Access Policy Assertion Authentication Response 4 2 Local Authentication 3 Assertion Authentication Request Data Request 1 Data Service Response 5 Basic Concepts of GFIPM Federation Identity Provider Data Service Provider Data Requester
Federation Terminology • A Trusted Identity Provider (IdP) or Claims Provider • Vets, ID proofs users, authenticates users, issues Federated ID credentials, maintains user identity and privilege attributes • Service Provider (SP) or Relying Party • Consumes Federated IDs and asserted attributes from IdPs and Attribute Authorities to make authorization decisions • Attributes – Identification and Privilege Data Tags • Example: DMV-issued Drivers License Card lists Identification attributes such as Name, Sex, DOB, Address, with driving privilege attributes such as Commercial Truck license, Motorcycle license • GFIPM has a dictionary of defined Identity and Privilege Attributes • Digitally Signed “Trust File” – contains the names, attributes, and certificates of each IdP and SP, which make up the set of Federation members (note: SAML metadata file)
Service Providers (SP)Control Their Access Policy Rules SERVICE: TX Criminal Law Enforcement Reporting and Information System (CLERIS) • ACCESS POLICY • Sworn Law Enforcement Officer Asserted • Criminal Investigative Search Privilege Asserted OR (Criminal Intel Search Privilege Asserted AND 28CFR Certification Asserted) • Identity Proofing Assurance Asserted and = NIST4 • Electronic Identity Assurance Asserted and ≥ NIST3 • Audit Attributes Provided* *First Name, Last Name, Phone Number, User Federation ID, Organization Name, Identity Provider, Email Address
Summary of Identity Federation Components • A process for establishing trust of electronic credentials and attributes issued by external partner or third-party organizations • Conformance to one or more technical Federation Standard(s) for conveying Federated IDs and attributes to one or more Service Providers (Relying Parties) (e.g. SAML Single Sign-on for Web Browsers) • Utilization of a common vocabulary of Identity and Privilege Attributes for assertion by IdPs (e.g. GFIPM metadata) • Service Providers (Relying Parties) defining the attributes they require to make access control decisions to their resource(s)
National Identity Exchange Federation Online at https://nief.gfipm.net/ National Identity Exchange Federation
What is NIEF? National Information Exchange Federation (NIEF) • NIEF is an Instance of the GFIPM Technical and Policy Standards and Guidance • Authorized Set of Trusted Identity Providers (IdPs) • An Authorized Set of Service Providers (SPs) • IdPs and SPs Have Mutual Technical and Policy Obligations as Specified in the GFIPM Governance Policy Documentation • All IdPs and SPs Must Undergo NIEF Formal Onboarding Process
Trusted IdP/SP Agreement • Provide support for a Federated ID electronic credential with the broadest acceptance by multiple jurisdictions and organizations. • (Similar to the goals of a U.S. Passport or a state Drivers License credential) • Provide technical interoperability testing/support with multiple Open Source and Commercial Federation software products. • Maintain and Field Test GFIPM Technical/Management Standards • Backend Attribute Exchange (BAE) pilot testing • Attribute Authority access • OpenID Connect – REST/JSON standard for mobile application federated ID • FICAM alignment certification (optional) • An operational Identity Federation for Federal, State, local Justice and Public Safety organizations and partners using a consistent process for onboarding IDP’s and SP’s.
GFIPM Governance Model • Representative Federation Governance • Scope of governance is limited to ID and privilege mgmt issues and underlying inter-agency trust • Governance of federation services is outside scope • Formal Application and Onboarding Processes • Formal Interoperability Testing Process • Tests are done in a non-live “reference” federation • “Federation Manager” Agency Provides Support for the Governance Process
Federation Management Role • Onboarding IdPs and SPs • Agreements / MOU for an IdP or SP • Review of Submitted Security Practices Documentation • Verification and Interoperability Testing of IdP/SP • Approval of IdP/SP Documentation and Documented Roles/Responsibilities for the IdP and SP per an Onboarding Federation Agreement • Ongoing Maintenance • Monitor Online/Offline Status of IdP/SP • Publish New IdPs and SPs to Federation Directory of Services • Update Contact Information • Provide Help Desk Triage • Distribute Updates to “Crypto-Trust File” [new IdP/SP]
Federation Management Role (continued) • If required, establish legal entity for signed IdP/SP agreements with the Federation • Define IdP/SP Audit Requirements • Define Dispute Resolution Process • Establish Liability Insurance • Define Process for Removing IdP/SP from “Crypto-Trust File”
RISS GFIPM Federation SAN DIEGO COUNTY ARJIS CISA CJIS FBI Portal Secured Internet (https with mutual authentication) Pennsylvania JNET LA COUNTY CCHRS STATE & LOCAL Fusion Centers CONNECT PROJECT Alabama, Florida, Kansas, Nebraska, Tennessee, Utah, Wyoming
NIEF Website • Provides Public-facing Info about NIEF Online • List of Current Members • Instructions for Prospective Members • Frequently Asked Questions • Contact Info • Online at https://nief.gfipm.net/
GFIPM Solutions Benefits • Provide More Data for your User Base • Provide your Data to a Larger User Base • Reduce or Eliminate External System Access and Administration • Secured System Data Exchange • No Mandate, but Must Interoperate • Single, Reusable Infrastructure and Security Framework for Secured National Sharing
GFIPM Solutions Benefits • Cost-effective Solution • Leverage Local Identity Management Systems and Policies (closest to the user) • User Identity Information is Maintained in ONE Place with the Local Organization Identity Management System (IdP) • User Authenticates once to Local IdP and Uses that Single Sign-on (SSO) to Gain Access to Multiple Authorized Federated Systems • Federation System Using the Standard NIEM Justice Identity Credential – Integration is Simplified
GFIPM Reference Federation • Managed by GTRI for Interoperability Testing by all GFIPM Stakeholders • Used by NIEF as Part of Onboarding Test Process prior to Live Onboarding • Info available at http://ref.gfipm.net/ • GFIPM Implementation Portal • Info available at http://gfipm.net/implementation.html