Federal ICAM Day June 18 2013 Phil Wenger OMB Douglas Glair USPS Anil John GSA Moderator Panel Participants Phil Wenger OMB Externalizing Authentication using MAX Authentication as a Service ID: 571423
Download Presentation The PPT/PDF document "Externalizing Authentication" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Externalizing Authentication
Federal ICAM Day
June 18, 2013Slide2
Phil Wenger, OMBDouglas Glair, USPS
Anil John, GSA (Moderator)
Panel ParticipantsSlide3
Phil Wenger, OMBSlide4
Externalizing
Authentication using
MAX Authentication as a Service (
AaaS
)
Phil Wenger, OMB
June 2013
ICAM Information Sharing Day and Vendor ExpoSlide5
Key Takeaways
Understand the MAX Ecosystem
Understand how
Agencies can externalize authentication using
MAX’s Shared Credentialing, Provisioning, Authentication, and Authorization and ServicesSlide6
MAX.gov - A Complete Cloud Services Platform
Enabling the “Shared First” and “Cloud First”
eGov
PoliciesSlide7
7
MAX
AaaS
provides Government-wide ID
Inter-agency
Government-to-Government
Intra-agency
Policymaking, Management and Budget class of activities
State, Local, International, and Non-Governmental Partners
Available
for use by agencies for
both
cross-government
and
intra-agency
activities
User accounts available for interactions
with
non-governmental
partners
in secure
Enclaves
The Public
Plus state, local, international, & non-governmental partner usersSlide8
What MAX
AaaS
Provides to AgenciesSlide9
MAX AaaS
Solution BenefitsSlide10
MAX
AaaS
- Scope
Federal, State, Local, International, and Non-government
partner usersSlide11
MAX AaaS
– Multiple Login Methods
Web Services that support HSPD-12 and ICAM
SAML 2.0 Web Browser SSO Profile
http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf
Can
be mapped to your agency ID
PIV validation and mapping service
Full path building, validation, revocation checking
Identity data extraction and normalization
Federate your agency Active Directory or
SAML 2.0
instances
Choose between single-factor, dual-factor, or federated loginSlide12
How Agencies have Externalized Authentication using MAX
AaaS
Today
IT Dashboard,
Data.Gov
,
Performance.Gov
DOJ CyberScope
BFEM
MAX
A11, Apportionment
Adobe Connect
Online Meetings
Wordpress
Drupal
Active DirectorySlide13
BFELoB Organization and Contacts:
Executive Sponsor:
Courtney Timberlake, Assistant Dir. for Budget, OMB
Managing Partner:
Tom Skelly, Director of Budget Service, EducationPolicy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB
Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB Program Management Office Lead: Mark Dronfield, Education
MAX Authentication Lead:
Barry Napear, Budget Systems Branch, OMB
MAX Architect:
Shahid Shah, Budget
Systems
Branch (CTR), OMB
Learn More about the Budget
LoB
:
www.BudgetLoB.gov Visit MAX.gov:
www.max.gov Contact the Budget LoB: BudgetLoB@Ed.gov Contact MAX Support: 202 395-6860 13MAX Authentication as a Service (AaaS
)Sponsored by the Budget Formulation and Execution Line of Business (BFELoB)Slide14
Background SlidesSlide15
MAX AaaS
: Full featured identity servicesSlide16
Self Service User Provisioning Process
Less than 5 minutes to get an account for “trusted domains”Slide17
Self or Managed Authorization ProcessSlide18
MAX Identity Management (IDM) Services
Enhanced
Provides APIs for MAX Identities, Profiles, Groups, and Authorization dataSlide19
MAX PIV Validation (PV) Services
PKIF: The PKI Framework
Provides APIs for PIV/PIV-I/CAC validation and identity data extraction
“
Public” service
available:
https://pv.test.max.gov/
Slide20
MAX PIV-to-SAML Translation Services
Performs PIV validation, maps to MAX ID, then translates to SAML
Apps do not need to be aware of PIV validation details (they are given assurance level as part of SAML assertion)Slide21
Agency AD/LDAP Integration (Federation)
Supports ICAM SAML 2.0 Web Browser SSO Profile
http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdfSlide22
MAX HSPD-12 Authentication Process
SSL/TLS
Apache Proxy
Apps
HSPD-12 Certificate
Internet
Identities Directory
Authenticate
User
connects to MAX and receives Login Page
User
enters user/pass or inserts HSPD-12 card into reader and selects PIV login
For
HSPD-12 login, browser establishes a TLS connection to Proxy, and Proxy requests a certificate
Browser
extracts certificate from card and forwards it to Proxy
Proxy
forwards certificate to CAS
CAS
matches certificate against Identities Directory
CAS
extracts MAX ID and user profile information and prepares a SAML assertion
CAS
"forwards" the SAML assertion to the application requesting authentication (no certificates are exchanged)
2
1
5
6
7
4
8
3Slide23
Douglas Glair, USPSSlide24
Doug Glair – Manager, Digital Partnerships and Alliances – United States Postal Service
Federal Cloud Credential Exchange (FCCX)Slide25
Market Problem
(Government)
The Solution
(FCCX)
Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of interoperable credential usage by allowing agencies to securely interact with a single “broker” to facilitate the authentication of consumers
Creates a single interface between Agencies and IDPs
Speeds up integration
Reduces costs and complexity
Requires Agencies to integrate with multiple Identity Service Providers (IDPs)
Requires IDPs to integrate with multiple AgenciesSlide26
Little or no confidence in asserted identity – self-assertion
Approved IdPs:
Equifax, Google, PayPal, Symantec, VeriSign, Verizon, Wave Systems, Virginia Tech
LOA 1
Very high confidence in asserted identity
Approved IdPs:
PIV/ PIV-I Cards
LOA 4
Some confidence in asserted identity
Approved IdPs:
Symantec, Verizon, Virginia Tech
LOA 2
High confidence in asserted identity
Approved IdPs:
Symantec, Verizon
LOA 3
Complexity & Security
NIST Levels of Assurance (LOA)
FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA) defined by NIST and approved via the ICAM Trust Framework SolutionsSlide27
FCCX Anticipated User Experience FlowSlide28