Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Externalizing Authentication

advertisement 
Federal CIO Council
Information Security and Identity Management Committee
IDManagement.gov
Externalizing Authentication
Federal ICAM Day
June 18, 2013
Panel Participants
 Phil Wenger, OMB
 Douglas Glair, USPS
 Anil John, GSA (Moderator)
2
Align
Collaborate
Enable
http://www.IDManagement.gov
Phil Wenger, OMB
3
ICAM Information Sharing
Day and Vendor Expo
Externalizing Authentication using
MAX Authentication as a Service (AaaS)
Phil Wenger, OMB
June 2013
Key Takeaways
• Understand the MAX Ecosystem
• Understand how Agencies can externalize
authentication using MAX’s Shared
Credentialing, Provisioning, Authentication,
and Authorization and Services
MAX.gov - A Complete Cloud Services Platform
Enabling the “Shared First” and “Cloud First” eGov Policies
Identity
Management
& SSO
Collaboration
Analytics
Data
Collections &
Surveys
Web Meetings
Remote
Desktops for
Telework
Federated
Search
Wiki & Web
Content
Document
Management
Social
Networking &
Publishing
Governmentwide
Directory
MAX AaaS provides Government-wide ID
Plus state, local, international, & non-governmental partner users
Government-to-Government
Intra-agency
Inter-agency
Policymaking, Management
and Budget class of activities
State, Local, International, and Non-Governmental Partners
The Public
 Available for use by agencies for both cross-government and intra-agency activities
 User accounts available for interactions with non-governmental partners in secure Enclaves
7
What MAX AaaS Provides to Agencies
Immediate
Government-wide
Identity
Rapid HSPD-12,
DOD CAC PIV
Implementation
Federation and
Multi-Agency
Single Sign-on
• Allow citizen access to agency websites using NSTIC or
anonymous logins while enforcing admin access via MAX ID
• Use government-wide organic and organizational MAX groups
for role-based access control and fine-grained permissions
• Use MAX PIV validation service to meet eGov policies (OMB M11-11, M-10-28)
• Use MAX PIV to SAML gateway service to map 2-factor identity
to agency logins or MAX ID
• Federate MAX Authentication with your Agency’s Active
Directory
• Federate MAX Authentication with SAML 2.0 Single Sign-on
(SSO)
MAX AaaS Solution Benefits
Low Total Cost of
Ownership
Instant
Deployment
FIPS 199 FISMA
Moderate
Cloud based, C&A’d
Mission-critical use
No new software to build or
license
Self-service
delegated
administration
Dual
authentication
Government-wide
Directory
Augments existing identities
Automatically Maintained
Eases management burden
MAX AaaS - Scope
Auto
Registration
for .gov, .mil
and other
domains
120+
Agencies
85,000+
6,000+
300+
users
user groups
Bureaus
Thousands
of HSPD-12
users from
90+
agencies
Federal, State, Local, International, and Non-government partner users
MAX AaaS – Multiple Login Methods
Web Services that support HSPD-12 and ICAM SAML 2.0 Web Browser SSO Profile
Choose between
single-factor,
dual-factor, or
federated login
PIV validation and
mapping service
• Full path building,
validation, revocation
checking
• Identity data extraction
and normalization
Can be mapped
to your agency ID
Federate your agency
Active Directory or
SAML 2.0 instances
http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf
How Agencies have Externalized Authentication
using MAX AaaS Today
MAX
Apps
MAX A11, Apportionment
BFEM
MAX
ID
Agency
Apps
Other
Apps
Adobe Connect
Online Meetings
Wordpress
DOJ CyberScope
Drupal
eGov
Apps
IT Dashboard, Data.Gov, Performance.Gov
Active Directory
MAX Authentication as a Service (AaaS)
Sponsored by the Budget Formulation and Execution Line of Business (BFELoB)
BFELoB Organization and Contacts:
Executive Sponsor: Courtney Timberlake, Assistant Dir. for Budget, OMB
Managing Partner: Tom Skelly, Director of Budget Service, Education
Policy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB
Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB
Program Management Office Lead: Mark Dronfield, Education
MAX Authentication Lead: Barry Napear, Budget Systems Branch, OMB
MAX Architect: Shahid Shah, Budget Systems Branch (CTR), OMB
Learn More about the Budget LoB: www.BudgetLoB.gov Visit MAX.gov: www.max.gov
Contact the Budget LoB: BudgetLoB@Ed.gov
Contact MAX Support: 202 395-6860
13
BACKGROUND SLIDES
MAX AaaS: Full featured identity services
Self-Service
Provisioning
Multi-factor
Authentication
Delegated
Authorization
Common Identity, Profile,
and Directory
Single factor
(user/password)
Group Management
Self service registration
and account management
Multi factor
(PIV/PIV-I/CAC)
Role Management
Auto-provisioning for .gov,
.mil, etc.
Federated (SAML2, ADFS)
Delegated Administration
Identity assurance for
Levels 2 and 3
Machine2Machine (M2M)
SAML
Self Service User Provisioning Process
Less than 5 minutes to get an account for “trusted domains”
Agency user and his/her management defines need
to access MAX (employee, contactor, partner)
User self registers on line at MAX portal
https://max. gov
MAX validates user’s email address
MAX checks sponsor requirement for outside users
Email confirmation sent to user
User accepts MAX User Agreement
Self or Managed Authorization Process
User and his/her management defines MAX
application and role to access
MAX assigns user to groups, communities and/or
applications as authorized by user’s management
User applies for application access via MAX
portal
MAX or delegated admin reviews access requests
MAX notifies user and application administrators
MAX Identity Management (IDM) Services
Provides APIs for MAX Identities, Profiles, Groups, and Authorization data
AaaS
Enhanced
JSON based
RESTful
Web
Services
IDM
MAX PIV Validation (PV) Services
Provides APIs for PIV/PIV-I/CAC validation and identity data extraction
“Public” service available: https://pv.test.max.gov/
Full Path
Building,
Validation,
Revocation
Checking
PKIF: The PKI
Framework
Identity Data
Extraction /
Normalization
PV
MAX PIV-to-SAML Translation Services
• Performs PIV validation, maps to MAX ID, then translates to SAML
• Apps do not need to be aware of PIV validation details (they are given
assurance level as part of SAML assertion)
Perform
MAX PIV
Validation
Map to MAX
ID
Translate to
SAML
Pass
Assertion to
App
Agency AD/LDAP Integration (Federation)
Supports ICAM SAML 2.0 Web Browser SSO Profile
http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf
MAX HSPD-12 Authentication Process
HSPD-12 Certificate
1
4
2
Internet
3
SSL/TLS
Apache Proxy
1.
2.
3.
4.
5.
6.
7.
8.
User connects to MAX and receives Login Page
User enters user/pass or inserts HSPD-12 card into reader and
selects PIV login
For HSPD-12 login, browser establishes a TLS connection to
Proxy, and Proxy requests a certificate
Browser extracts certificate from card and forwards it to Proxy
Proxy forwards certificate to CAS
CAS matches certificate against Identities Directory
CAS extracts MAX ID and user profile information and prepares a
SAML assertion
CAS "forwards" the SAML assertion to the application requesting
authentication (no certificates are exchanged)
5
7
Apps
Identities Directory
6
8
Align
Collaborate
Enable
http://www.IDManagement.gov
Douglas Glair, USPS
23
Federal Cloud Credential
Exchange (FCCX)
Doug Glair – Manager, Digital Partnerships and
Alliances – United States Postal Service
Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of
interoperable credential usage by allowing agencies to securely interact with a
single “broker” to facilitate the authentication of consumers
Market Problem
(Government)
•
Requires Agencies to integrate
with multiple Identity Service
Providers (IDPs)
The Solution
(FCCX)
• Creates a single interface
between Agencies and IDPs
• Speeds up integration
•
Requires IDPs to integrate with
multiple Agencies
• Reduces costs and complexity
NIST Levels of Assurance (LOA)
FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA)
defined by NIST and approved via the ICAM Trust Framework Solutions
LOA 4
LOA 3
LOA 2
LOA 1
 Little or no confidence in
asserted identity – selfassertion
 Some confidence in
asserted identity
 Equifax, Google, PayPal,
Symantec, VeriSign,
Verizon, Wave Systems,
Virginia Tech
 High confidence in asserted
identity
Approved IdPs:
Approved IdPs:
 Symantec, Verizon
Approved IdPs:
Approved IdPs:
 Very high confidence in
asserted identity
 Symantec, Verizon, Virginia
Tech
Complexity & Security
 PIV/ PIV-I Cards
FCCX Anticipated User Experience Flow
Align
Collaborate
Enable
http://www.IDManagement.gov
28
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
EFL PK 8 Installation_for_iPhone
EFL PK 8 Installation_for_iPhone
Chapter 11 HW
Chapter 11 HW
Identity Management
Identity Management
slides
slides
Chapter 1:
Chapter 1:
CS 433
CS 433
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
GAO Testimony
GAO Testimony
Download
advertisement