GFIPM Supporting all Levels of Government Toward the Holy Grail of Single Sign-on

Transcription

1 GFIPM Supporting all Levels of Government Toward the Holy Grail of Single Sign-on Presenter(s): John Ruegg, DOJ Global Security Working Group Mark Phipps, CJIS/FBI Law Enforcement Online Kevin Heald, PM-ISE GFIPM Federated ID and Single Sign-On June 15, 2011

2 Agenda What is the problem with having multiple userid/passwords? Global Federated Identity & Privilege Management (GFIPM) and Federated Single Sign-on (SSO) Federated SSO with CJIS/FBI Trusted Broker Federated SSO with RISS, LEO, Intelink-U, HSIN Sensitive But Unclassified (SBU) Portals 2

3 Multiple Identity Credentials Problem Expensive for users to acquire multiple, often different ID credentials Expensive for information systems providers to issue and maintain multiple external user organization accounts and tokens Difficult to know when external user credentials are no longer valid With so many userid/passwords to remember, users reuse simple passwords for access to multiple systems. Compromise of the simple password, compromises access to multiple systems. 3

4 What types of ID Credentials are users required to Use? Personal Identity Verification (PIV) Cards, PIV(I) Multiple Common Access Control (CAC) Cards (HSPD- 12 Federal Credential) X.509 End-user Certificates (soft token) One-Time Password Generators (RSA Secure-ID hardware) Advance Authentication Challenge/Response Questions 4

5 What types of ID Credentials are users required to Use? (continued) Biometric Readers (Fingerprint scan, retina scan) Multiple Userid/password systems US Passports, Driver License (Smart Cards) 5

6 What is Federated Identity Management? You depend on another organization to Identify their users [GFIPM Subject role/attributes] and Authenticate them before they can connect to your System. A Trusted Identity Provider (IDP) Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. (relying Service Provider) (SP) IDP s and SP s have mutual technical and policy obligations to meet for participation in the Federation.

7 Justice NIEM Inside XML Inside

8 What s in the GFIPM-Metadata? (Attributes supporting Role Based Access) User Identification Info about a person who has an identity in the federation User Certifications and Memberships Can help an SP make access control decisions User Contact Information Contact info for the user, his/her supervisor, employer, etc. User Organizational Affiliations Info about the user s employment status, assignments, etc. Authorization Context Supplemental info to help a SP make access control decisions Electronic Identity Info about the user s electronic identity (type, issue date, etc.) Authentication Context Incorporates SAML 2.0 authentication context

9 Single Sign-on using Federated Identity Credentials GFIPM User Assertion Federation Identity Provider Request message Identity credentials Local Access Policy 3 2 Data Service Provider Data Requester 1 Data Request 5 Data Service Response 9

10 What is Global Federated ID & Privilege Management? (GFIPM) An authorized set of Trusted Identity Providers (IDPs) Provides Identity information via a NIEM Justice Credential to Service Providers (SPs) Performs local authentication of users and services. An authorized set of Service Providers (SPs) Relies on the authenticity of the NIEM Justice Credential Identity Information (relying Service Provider (SP) Makes access and authorization decisions based on NIEM Credential identity attributes. IDP s and SP s have mutual technical and policy obligations as specified in the GFIPM Governance Policy documentation

11 NIEF/GFIPM Federation Single Sign-On (SSO) Solution CISAnet Pennsylvania JNET CJIS FBI Trusted Broker Secured Internet (SSL/TLS (https)) LA COUNTY CCHRS RISS HSIN & HSIN (Intel) Dept. of Homeland Security STATE & LOCAL Fusion Centers 11

12 GFIPM Federation Technology Standards SSL/TLS Network Transport Protocol (https) XML Digital Signature XML Encryption Security Assertion Markup Language (SAML 2.0) SAML 2.0 Web Browser Single Sign-on Profile NIEM GFIPM Metadata 2.0 X.509 Certificates (PKI for IDP/SP) and Federation Trust File 12

13 User-to-System Use Case IDP Web Browser Connections SP 13

14 System-to-System Use Case IDP SP SERVICES 14

15 GFIPM Governance Model Representative federation governance Scope of governance is limited to ID and privilege mgmt issues and underlying inter-agency trust Governance of federation services is outside scope Formal application and onboarding processes Formal interoperability testing process Tests are done in a non-live reference federation Federation Manager agency provides support for the governance process 15

16 GFIPM Work Products

17 FICAM & Federated ID Persons Non-Persons Logical Access Physical Access

18 NIEF/BAE Pilot Use Case Authoritative Attribute Source 1 User with PIV or PIV-I Card Authoritative Attribute Source 2 GFIPM Relying Party Authoritative Attribute Source 3 Virtual/Met a Directory XML Security Gateway (BAE) Trusted Identity Broker GFIPM Relying Party State & Local Agency Attribute Service 18

19 CJIS FBI Trusted Broker/Portal Trusted Identity Broker Services (Security Token Services (STS)) IDP Software Services offered to LEA Agencies Support for Multiple ID Credential Types GFIPM SAML 2.0 Credentials Direct Access with RSA Advanced Authentication CAC/PIV/PIV(I) Card Access 19

20 TRUSTED BROKER Enterprise ID Provider AL AR W V W Y

21 ID PROVIDER FBI FED ID MGT 21

22 ID PROVIDER FBI FED ID MGT 22

23 MY PORTAL 23

24

25 PM-ISE SBU Network Interoperability Working Group Mission is to standardize and enable secure information sharing between SBU partner systems Working group under the Information Sharing & Access Interagency Policy Committee (ISA IPC) Current membership RISSNET, CJIS/LEO, Intelink-U, & HSIN Meets biweekly via telephone with goal of in-person meetings at least quarterly

26 The SBU Challenge User authenticates & searches each individual portal The user is required to remember several different username/passwords Forgotten passwords Login timeouts Fusion Center Analyst User is required to search each portal individually Search results are not aggregated Ultimately can lead to missing information and/or loss of analyst time

27 Evolution of SBU Users authenticates once and searches from their home portal Fusion Center Analyst RISSNET performs multiple searches on behalf of the user The user is required to remember one set of credentials User searches their home portal. Home portal searches other portals on behalf of the user Search results are aggregated Target portals perform authorization of end users Increase analyst efficiency and possibility of finding relevant information

28 SBU SSO Use Cases Use Case #1 User logs onto home system first, then accesses a resource on a partner system Identity Provider first model Use Case #2 User accesses the resource on the partner system before authenticating to home system Service Provider first model User Case #3 User logs into home system first, then conducts a search of resources on multiple systems (Federated Query System-to-System message exchanges) Results to which the user has access are returned Use Case #4 Combination of 1-3, however access is dynamically controlled via attributes

29 SSO and Access Control Status by of each SBU system: Trusted Broker Solution LEO RISS Key components of Trusted Broker SSO implementation: IdP Trusted Broker IdP SP 1. Identity Provider (IdP) Handles management of user identities. Specifically, the IDP authenticates users, and the provides authentication decision information to service providers. Intelink HSIN 2. Service Provider (SP) Provides services to end users after requesting authentication decisions from IDPs. SP As of March 2011 Currently Connected

30 SSO Next Steps GFIPM planning on synchronizing their SAML 2.0 profile with ICAM The current delta is minimal PM-ISE will be working with NIEF to usher them through the TFPAP process Establishment of a plan for SSO going forward Essential for interoperability between Trusted Broker and NIEF Emphasis on usability Ensure future capabilities (such as federated search and discovery) are supported by the technical approach

31 DOJ Global Resources Global Justice Reference Architecture (GRA) for Service-Oriented Architecture GRA Version 1.4, Web Services Service Interaction Profile (SIP): Global Federated ID & Privilege Management (GFIPM) Documentation, Guidelines: Flyer, demonstration report, and users conference briefing: National Information Exchange Federation (NIEF) Operational GFIPM Federation Documentation:

32 LEO Resources Program Management LEO Operations... (304) On Boarding Administration LEO Operations (304) Technical Interface Meetings (TIMS) Technical PM (304)

33 Information Sharing Environment Resources Office of Department of National Intelligence (ODNI) Information Sharing Environment (ISE)

34 QUESTIONS 34