Externalizing Authentication - PowerPoint Presentation

Slide1

Externalizing Authentication

Federal ICAM Day

June 18, 2013Slide2

Phil Wenger, OMBDouglas Glair, USPS

Anil John, GSA (Moderator)

Panel ParticipantsSlide3

Phil Wenger, OMBSlide4

Externalizing

Authentication using

MAX Authentication as a Service (

AaaS

)

Phil Wenger, OMB

June 2013

ICAM Information Sharing Day and Vendor ExpoSlide5

Key Takeaways

Understand the MAX Ecosystem

Understand how

Agencies can externalize authentication using

MAX’s Shared Credentialing, Provisioning, Authentication, and Authorization and ServicesSlide6

MAX.gov - A Complete Cloud Services Platform

Enabling the “Shared First” and “Cloud First”

eGov

PoliciesSlide7

7

MAX

AaaS

provides Government-wide ID

Inter-agency

Government-to-Government

Intra-agency

Policymaking, Management and Budget class of activities

State, Local, International, and Non-Governmental Partners

Available

for use by agencies for

both

cross-government

and

intra-agency

activities

User accounts available for interactions

with

non-governmental

partners

in secure

Enclaves

The Public

Plus state, local, international, & non-governmental partner usersSlide8

What MAX

AaaS

Provides to AgenciesSlide9

MAX AaaS

Solution BenefitsSlide10

MAX

AaaS

- Scope

Federal, State, Local, International, and Non-government

partner usersSlide11

MAX AaaS

– Multiple Login Methods

Web Services that support HSPD-12 and ICAM

SAML 2.0 Web Browser SSO Profile

http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdf

Can

be mapped to your agency ID

PIV validation and mapping service

Full path building, validation, revocation checking

Identity data extraction and normalization

Federate your agency Active Directory or

SAML 2.0

instances

Choose between single-factor, dual-factor, or federated loginSlide12

How Agencies have Externalized Authentication using MAX

AaaS

Today

IT Dashboard,

Data.Gov

,

Performance.Gov

DOJ CyberScope

BFEM

MAX

A11, Apportionment

Adobe Connect

Online Meetings

Wordpress

Drupal

Active DirectorySlide13

BFELoB Organization and Contacts:

Executive Sponsor:

Courtney Timberlake, Assistant Dir. for Budget, OMB

Managing Partner:

Tom Skelly, Director of Budget Service, EducationPolicy Lead: Andy Schoenbach, Chief, Budget Systems Branch, OMB

Deputy Policy Lead: Phil Wenger, Budget Systems Branch, OMB Program Management Office Lead: Mark Dronfield, Education

MAX Authentication Lead:

Barry Napear, Budget Systems Branch, OMB

MAX Architect:

Shahid Shah, Budget

Systems

Branch (CTR), OMB

Learn More about the Budget

LoB

:

www.BudgetLoB.gov Visit MAX.gov:

www.max.gov Contact the Budget LoB: BudgetLoB@Ed.gov Contact MAX Support: 202 395-6860 13MAX Authentication as a Service (AaaS

)Sponsored by the Budget Formulation and Execution Line of Business (BFELoB)Slide14

Background SlidesSlide15

MAX AaaS

: Full featured identity servicesSlide16

Self Service User Provisioning Process

Less than 5 minutes to get an account for “trusted domains”Slide17

Self or Managed Authorization ProcessSlide18

MAX Identity Management (IDM) Services

Enhanced

Provides APIs for MAX Identities, Profiles, Groups, and Authorization dataSlide19

MAX PIV Validation (PV) Services

PKIF: The PKI Framework

Provides APIs for PIV/PIV-I/CAC validation and identity data extraction

“

Public” service

available:

https://pv.test.max.gov/

Slide20

MAX PIV-to-SAML Translation Services

Performs PIV validation, maps to MAX ID, then translates to SAML

Apps do not need to be aware of PIV validation details (they are given assurance level as part of SAML assertion)Slide21

Agency AD/LDAP Integration (Federation)

Supports ICAM SAML 2.0 Web Browser SSO Profile

http://www.idmanagement.gov/documents/SAML20_Web_SSO_Profile.pdfSlide22

MAX HSPD-12 Authentication Process

SSL/TLS

Apache Proxy

Apps

HSPD-12 Certificate

Internet

Identities Directory

Authenticate

User

connects to MAX and receives Login Page

User

enters user/pass or inserts HSPD-12 card into reader and selects PIV login

For

HSPD-12 login, browser establishes a TLS connection to Proxy, and Proxy requests a certificate

Browser

extracts certificate from card and forwards it to Proxy

Proxy

forwards certificate to CAS

CAS

matches certificate against Identities Directory

CAS

extracts MAX ID and user profile information and prepares a SAML assertion

CAS

"forwards" the SAML assertion to the application requesting authentication (no certificates are exchanged)

2

1

5

6

7

4

8

3Slide23

Douglas Glair, USPSSlide24

Doug Glair – Manager, Digital Partnerships and Alliances – United States Postal Service

Federal Cloud Credential Exchange (FCCX)Slide25

Market Problem

(Government)

The Solution

(FCCX)

Federal Cloud Credential Exchange (FCCX) enables the NSTIC and ICAM vision of interoperable credential usage by allowing agencies to securely interact with a single “broker” to facilitate the authentication of consumers

Creates a single interface between Agencies and IDPs

Speeds up integration

Reduces costs and complexity

Requires Agencies to integrate with multiple Identity Service Providers (IDPs)

Requires IDPs to integrate with multiple AgenciesSlide26

Little or no confidence in asserted identity – self-assertion

Approved IdPs:

Equifax, Google, PayPal, Symantec, VeriSign, Verizon, Wave Systems, Virginia Tech

LOA 1

Very high confidence in asserted identity

Approved IdPs:

PIV/ PIV-I Cards

LOA 4

Some confidence in asserted identity

Approved IdPs:

Symantec, Verizon, Virginia Tech

LOA 2

High confidence in asserted identity

Approved IdPs:

Symantec, Verizon

LOA 3

Complexity & Security

NIST Levels of Assurance (LOA)

FCCX will integrate with ICAM approved IDPs across the Levels of Assurance (LOA) defined by NIST and approved via the ICAM Trust Framework SolutionsSlide27

FCCX Anticipated User Experience FlowSlide28