Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Published byMadison Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy."— Presentation transcript:

1 Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication Initiative FED/ED XII PKI Meeting December 14, 2005

2 2 Federation Infrastructure Interoperable Technology (Communications) Determine intra-Federation communication architecture Administer common interface specifications, use cases, profiles Conduct interoperability testing ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services) Trust Establish common trust model Administer common identity management/authentication policies for Federation members Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution

3 3 Government Adoption of Federated IDM  Necessary in order to meet President’s E-Gov mandates GSA is directed to provide common authentication infrastructure for all Federal E-Gov business applications and E-access control.  In 2004 GSA established the EAI Federation EAI Federation allows identity federation between multiple industry and government entities and the Federal Government GSA administers the EAI Federation EAI members include CSPs, AAs, and end users Trust framework supports multiple levels of authentication assurance Technical architecture supports multiple authentication technologies, protocols, and IDM software products and components  In 2004 GSA partnered with industry to establish the Electronic Authentication Partnership Incorporated non-profit public/private sector forum to advance and accelerate IDM federation Focuses on interoperability and trust EAP Trust Framework issued 12/04

4 4 Building the E-Authentication Federation Business & Operating Rules Operational Infrastructure Agency Applications/ Identity Credential Issuers Policy Technical Standards Completed FY 2004 Scheduled for completion Q4 FY ‘05 Scheduled for Federation membership Q1 FY ’06 and beyond

5 5 The Need for Federated Identity Trust and Business Models  Technical issues for sharing identities are being solved, but slowly  Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards How robust are the identity verification procedures? How strong is this shared identity? How secure is the infrastructure?  Common business rules are needed for federated identity to scale N 2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define: Trust assurance and credential strength Roles, responsibilities, of IDPs and relying parties Liabilities associated with use of 3 rd party credentials Business relationship costs Privacy requirements for handling Personally Identifiable Information (PII)  Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems

6 6

7 7 Key Architecture Design Considerations  No central registry of personal information, attributes, or authorization privileges – decentralized approach means federation.  Different authentication assurance levels are needed for different types of transactions.  Architecture must support multiple authentication technologies.  Architecture must support multiple protocols.  Federal Government will not mandate a single proprietary solution, therefore, Architecture must support multiple COTS products.  Federal Government will adopt prevailing industry standards that best meet the Government’s needs.  All architecture components must interoperate with ALL other components.  Controls must protect privacy of personal information.

8 8 ©p©p CS AA x Step #1: User goes to Portal to select the AA and CS Portal AA x Step #2: The user is redirected to the selected CS with an AA identifier. The portal also cookies the user with their selected CS. Step #3: The CS authenticates the user and hands them off to the selected AA with their identity information. The CS also cookies the user as Authenticated. ©c©c Base Case AAs ECPs Users AuthZ Step #3: For Assurance levels 1 and 2, CSP will need to provide users’ common name + assurance level (at a minimum) to the AA. PII is protected in transmission through SOAP/SSL. e-Authentication Technical Interfaces – Base Case Step #1: No PII is presented to the portal, no transaction data is recorded, no system of records is maintained. Step #2: For Federal CSPs, no new PII is created. Users simply sign on using previously established processes with CSP (PIN, Password). PIN, Passwords are expressed only to CSP, not to e-Auth Portal or AA. Data/Information Flows Policy Enforcement Point

9 9 e-Authentication Architecture – Protocol Translator

10 10 Standards Convergence  SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information  Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services Shibboleth Specification Liberty Specifications OASIS SAML 1.0, 1.1 OASIS Standard SAML 2.0

11 11 Federal Interoperability Lab  Tests interoperability of products for participation in e- Authentication architecture. Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products  Currently 11 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication  Multiple protocol interoperability testing will be very complex  4/07/05 RFI for Certificate Path Discovery/Validation Service  GSA intends to continue to test architecture components for interoperability and capability to meet governmentwide use requirements

12 12 For More Information ● Visit our Websites: http://www.cio.gov/eauthenticationwww.cio.gov/eauthentication http://www.cio.gov/ficcwww.cio.gov/ficc http://www.cio.gov/fbcawww.cio.gov/fbca http://www.cio.gov/fpkipawww.cio.gov/fpkipa http://csrc.nist.gov/piv-project/ http://csrc.nist.gov/piv-project/ http://www.cio.gov/fpkisc http://www.eapartnership.org http://www.smart.gov/www.smart.gov/ ● Or contact: David Temoshok Director, Identity Policy and Management 202-208-7655 david.temoshok@gsa.gov

Download ppt "Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy."

Similar presentations

NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.

HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Network Identity Kai Kang 27 th October 2004. Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.

Network Identity Kai Kang 27 th October Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.

Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
E-Authentication: Creating an Environment of Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication.

E-Authentication: Creating an Environment of Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication.
The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.

The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
Federated Identity and Interoperability: Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide.

Federated Identity and Interoperability: Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide.
Cartes America - Secure ID: Fraud and ID Management Part 1 Track Personal Identity Verification (PIV) Case Study within the TSCP Community Keith Ward TSCP.

Cartes America - Secure ID: Fraud and ID Management Part 1 Track Personal Identity Verification (PIV) Case Study within the TSCP Community Keith Ward TSCP.

Similar presentations

Ads by Google