11

GFIPM Enabling Federated Identity

and Single Sign-onJohn Ruegg

LA County Information Systems Advisory BodyJune 11, 2014

22

What is Federated Identity? • You trust an external partner organization to vet their users,

issue local authentication tokens, assert user/system identities and privilege attributes, and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IdP), aka Claims Provider

• Your system relies on the identity credentials provided from the IdP to make access and authorization decisions. A Service Provider (SP), aka Relying Party

• IdPs and SPs have mutual technical and policy obligations to meet for participation in the Identity Federation

33

What is Federated Identity?

• You trust a 3rd party or external partner organization to vet their users, issue local authentication tokens, assert user/system identity and privilege attributes and locally authenticate their users BEFORE they can be granted access to your system. A Trusted Identity Provider (IDP) aka Claims Provider

• Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. A Service Provider (SP) aka Relying Party

• IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Identity Federation.

Justice XMLInside

GFIPM Attributes Inside

44

Basic Concepts of GFIPM

GFIPM User Assertion

PolicyEnforcement

Point

Data Service Provider

FederationIdentity Provider

Assertion Authentication Response

4

Assertion Authentication Request

2

AuthID

Data Service Response

5

Data Request

1Data

Requester

Loca

l Auth

enticatio

n

3

Local Access Policy

Global FIPM User Assertion

55

Federation Terminology

• A Trusted Identity Provider (IdP) or Claims Provider– Vets, ID proofs users, authenticates users, issues Federated ID

credentials, maintains user identity and privilege attributes• Service Provider (SP) or Relying Party

– Consumes Federated IDs and asserted attributes from IdPs and Attribute Authorities to make authorization decisions

• Attributes – Identification and Privilege Data Tags– Example: DMV-issued Drivers License Card lists Identification

attributes such as Name, Sex, DOB, Address, with driving privilege attributes such as Commercial Truck license, Motorcycle license

– GFIPM has a dictionary of defined Identity and Privilege Attributes• Digitally Signed “Trust File” – contains the names, attributes,

and certificates of each IdP and SP, which make up the set of Federation members (note: SAML metadata file)

66

Service Providers (SP)Control Their Access Policy Rules

SERVICE: TX Criminal Law Enforcement Reporting and Information System (CLERIS)

ACCESS POLICY Sworn Law Enforcement Officer Asserted Criminal Investigative Search Privilege Asserted OR

(Criminal Intel Search Privilege Asserted AND 28CFR Certification Asserted)

Identity Proofing Assurance Asserted and = NIST4 Electronic Identity Assurance Asserted and ≥ NIST3 Audit Attributes Provided*

*First Name, Last Name, Phone Number, User Federation ID, Organization Name, Identity Provider, Email Address

77

Summary of Identity Federation Components

1. A process for establishing trust of electronic credentials and attributes issued by external partner or third-party organizations

2. Conformance to one or more technical Federation Standard(s) for conveying Federated IDs and attributes to one or more Service Providers (Relying Parties) (e.g. SAML Single Sign-on for Web Browsers)

3. Utilization of a common vocabulary of Identity and Privilege Attributes for assertion by IdPs (e.g. GFIPM metadata)

4. Service Providers (Relying Parties) defining the attributes they require to make access control decisions to their resource(s)

88

National Identity Exchange Federation

Online at https://nief.gfipm.net/

National Identity Exchange Federation

99

• NIEF is an Instance of the GFIPM Technical and Policy Standards and Guidance

• Authorized Set of Trusted Identity Providers (IdPs)• An Authorized Set of Service Providers (SPs)• IdPs and SPs Have Mutual Technical and Policy

Obligations as Specified in the GFIPM Governance Policy Documentation

• All IdPs and SPs Must Undergo NIEF Formal Onboarding Process

What is NIEF?National Information Exchange Federation (NIEF)

1010

Formal Onboarding Test Suite

10

3.4 Passed All Technical Interoperability Tests for Identity Provider (IDP)?

- All interoperability tests are to be conducted in the GFIPM Reference Federation.- Use "PASSED" or "FAILED" for status. Also indicate test test date. Use "N/A" if not applicable.- See Section 6 of GFIPM Web Browser User-to-System Profile: http://it.ojp.gov/docdownloader.aspx?ddid=1336- Note: IDPs are not required to be Internet accessible, so many of these tests may not be independently verifiable.

3.4.1 IDP is accessible via HTTPS (HTTP over TLS) only - NOT unencrypted HTTP.

Spec requires TLS 1.0, but in practice TLS >1.0 is OK if required by IDPO's local security policy.

3.4.2 IDP's TLS cert is signed by a well-known CA. This is necessary for usability. If not, security warnings will appear in browsers.

3.4.3 IDP accepts AuthnAssertions via SAML HTTP POST or SAML HTTP Redirect binding.

This is necessary to support "SP-Initiated" SSO.

3.4.4 IDP properly signs SAML SSO responses. 3.4.5 IDP properly signs SAML assertions. 3.4.6 IDP properly encrypts SAML assertions. 3.4.7 IDP properly uses SAML RelayState when

posting SAML responses to SPs. - For solicited responses, this requires copying the RelayState as-is

from the corresponding AuthnRequest.- For unsolicited responses, this is the destination URL at the SP.

3.4.8 IDP uses appropriate SAML NameID formats. Must use the NameID format requested in the AuthnRequest, OR the format specified in SAML Metadata (trust fabric), OR default to one of the SAML SSO profile's required formats.

3.4.9 IDP includes a SAML attribute statement in its SAML assertions.

Rules pertaining to individual attributes in the attribute statement are enumerated below.

3.4.10 IDP asserts ALL of NIEF's "mandatory" attributes.

- See GFIPM Metadata 2.0 NIEF Profile for mandatory attributes. (It's available for download on the NIEF Portal.)- Attribute names and attribute name types must BOTH be correct.

3.4.11 IDP asserts most or all of NIEF's "recommended" attributes.

- See GFIPM Metadata 2.0 NIEF Profile for mandatory attributes. (It's available for download on the NIEF Portal.)- Enumerate all recommended attributes that are NOT asserted by the IDP.

1111

Trusted IdP/SP Agreement

• Provide support for a Federated ID electronic credential with the broadest acceptance by multiple jurisdictions and organizations. – (Similar to the goals of a U.S. Passport or a state Drivers License credential)

• Provide technical interoperability testing/support with multiple Open Source and Commercial Federation software products.

• Maintain and Field Test GFIPM Technical/Management Standards– Backend Attribute Exchange (BAE) pilot testing– Attribute Authority access – OpenID Connect – REST/JSON standard for mobile application federated ID– FICAM alignment certification (optional)

• An operational Identity Federation for Federal, State, local Justice and Public Safety organizations and partners using a consistent process for onboarding IDP’s and SP’s.

11

1212

• Representative Federation Governance– Scope of governance is limited to ID and privilege

mgmt issues and underlying inter-agency trust– Governance of federation services is outside scope

• Formal Application and Onboarding Processes• Formal Interoperability Testing Process

– Tests are done in a non-live “reference” federation• “Federation Manager” Agency Provides

Support for the Governance Process

GFIPM Governance Model

1313

GFIPM Governance Model

1414

Federation Management Role• Onboarding IdPs and SPs

– Agreements / MOU for an IdP or SP – Review of Submitted Security Practices Documentation– Verification and Interoperability Testing of IdP/SP– Approval of IdP/SP Documentation and Documented

Roles/Responsibilities for the IdP and SP per an Onboarding Federation Agreement

• Ongoing Maintenance– Monitor Online/Offline Status of IdP/SP– Publish New IdPs and SPs to Federation Directory of Services– Update Contact Information– Provide Help Desk Triage– Distribute Updates to “Crypto-Trust File” [new IdP/SP]

1515

Federation Management Role (continued)

• If required, establish legal entity for signed IdP/SP agreements with the Federation

– Define IdP/SP Audit Requirements– Define Dispute Resolution Process– Establish Liability Insurance– Define Process for Removing IdP/SP from “Crypto-Trust File”

1616

Connecting to Federated Partners

1717

RISSRISS STATE & LOCALFusion Centers

STATE & LOCALFusion Centers

CJIS FBIPortal

CJIS FBIPortal

GFIPM Federation

Secured Internet

(https withmutual authentication)

Secured Internet

(https withmutual authentication)

AuthID

AuthID

AuthID

CONNECT PROJECTAlabama, Florida, Kansas, Nebraska, Tennessee,

Utah, Wyoming

CONNECT PROJECTAlabama, Florida, Kansas, Nebraska, Tennessee,

Utah, Wyoming

LA COUNTY

CCHRS

LA COUNTY

CCHRS

SAN DIEGO COUNTYARJIS

SAN DIEGO COUNTYARJIS CISACISA

Pennsylvania JNET

Pennsylvania JNET

AuthID

1818

• Provides Public-facing Info about NIEF Online– List of Current Members– Instructions for Prospective Members– Frequently Asked Questions– Contact Info

• Online at https://nief.gfipm.net/

18

NIEF Website

1919

Intelligence

Investigative

First Responder

TrustDomain B

App

Inte

rfac

e

Inte

rfac

e

FEDERATION

Trust Domain A

Existing Community Infrastructure

(federal, state, local, regional, program,

etc.)

App

First Responder

Investigative

AppsDocs

Database

AppsDocs

Database

AppsDocs

Database

Intelligence

AppsDocs

Database

System-to-System – SOA Use Case

2020

GFIPM Web Services Model #1

2121

GFIPM Web Services Model #2

2222

• Provide More Data for your User Base • Provide your Data to a Larger User Base • Reduce or Eliminate External System Access and

Administration• Secured System Data Exchange• No Mandate, but Must Interoperate• Single, Reusable Infrastructure and Security

Framework for Secured National Sharing

GFIPM Solutions Benefits

2323

• Cost-effective Solution• Leverage Local Identity Management Systems and

Policies (closest to the user)• User Identity Information is Maintained in ONE Place

with the Local Organization Identity Management System (IdP)

• User Authenticates once to Local IdP and Uses that Single Sign-on (SSO) to Gain Access to Multiple Authorized Federated Systems

• Federation System Using the Standard NIEM Justice Identity Credential – Integration is Simplified

GFIPM Solutions Benefits

242424

GFIPM Reference Federation

• Managed by GTRI for Interoperability Testing by all GFIPM Stakeholders

• Used by NIEF as Part of Onboarding Test Process prior to Live Onboarding

• Info available at http://ref.gfipm.net/

• GFIPM Implementation Portal– Info available at

http://gfipm.net/implementation.html