E-Authentication: A Federated Approach to Identity Management December 2004
E-Authentication Overview & Technical Approach
-
Upload
dane-porter -
Category
Documents
-
view
54 -
download
0
description
Transcript of E-Authentication Overview & Technical Approach
![Page 1: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/1.jpg)
E-Authentication Overview & Technical
Approach
Scott Lowery
Technical Track Session
![Page 2: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/2.jpg)
2
E-Authentication – Technical Approach
Agenda– E-Authentication Overview
• Policy Framework
– Technical Approach
– Interoperability Lab
![Page 3: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/3.jpg)
3
3. Establish technical assurance standards for e-credentials and credential providers (NIST Special Pub 800-63 Authentication Technical Guidance)
1. Establish e-Authenticationrisk and assurance levels for Governmentwide use(OMB M-04-04 Federal Policy Notice 12/16/03)
4. Establish methodology for evaluating credentials/providers on assurance criteria (Credential Assessment Framework)
2. Establish standard methodology for e-Authentication riskassessment (ERA)
5. Establish trust list of trusted credential providers for govt-wide (and private sector) use
6. Establish common business rules for use of trusted 3rd-party credentials
Policy Infrastructure:
![Page 4: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/4.jpg)
4
OMB 04-04Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors 1 2 3 4
Inconvenience, distress or damage to standing or reputation
Low Mod Mod High
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low ModHigh
Civil or criminal violations N/A Low Mod High
![Page 5: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/5.jpg)
5
Assurance Level
Allowed Token Types 1 2 3 4
Hard crypto token
Soft crypto token
Zero knowledge password
One-time Password Device
Strong password
PIN
NIST SP 800-63
![Page 6: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/6.jpg)
6
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview
– Technical Approach• Assertion Based Authentication
• Certificate Based Authentication
– Interoperability Lab
![Page 7: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/7.jpg)
7
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview– Technical Approach
• Assertion Based Authentication– Overview– Management – SAML (Security Assertion Markup Language)as an
Adopted Scheme• Certificate Based Authentication
– Interoperability Lab
![Page 8: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/8.jpg)
8
©p
CS
AAx
Step #1: User goes to Portal to select the AA and CS
Portal
AAx
Step #2: The user is redirected to the selected CS with an AA identifier. The portal also cookies the user with their selected CS.
Step #3: The CS authenticates the user and hands them off to the selected AA with their identity information. The CS also cookies the user as Authenticated.
©c
MD SSO Options: SAML Liberty WS-Federation Shibboleth ?
AAs ECPs
Users
AuthZ
AAs
CSsBase Case
![Page 9: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/9.jpg)
9
Step #2: The user is redirected to the portal with the AA ID
Step #1: User Starts at AA
©p
AAx
Portal
AA
©c Step #4: The user is handed off to the AA as usual.
AA
Step #3: After selecting their CS the user is cookied and redirected as usual
CS
Starting at the AA
![Page 10: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/10.jpg)
10
Step #2: The user is redirected to the portal with the ECP ID
Step #1: User Starts at CS
©p
AAx
Portal
AA
©c Step #4: The user is handed off to the AA as usual.
CS Step #3: After selecting their AA the user is redirected back to the ECP as usual
CS
CSP IDStep #3: After
Selecting their AA
the user is redirected
back to the CS as
usual
Startingat the CS
![Page 11: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/11.jpg)
11
Step #2: The user is
Redirected to the portal
With the CS and AA IDs
Step #3: The user is
cookied and redirected
to the CS
SpecializedPortals
![Page 12: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/12.jpg)
12
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview– Technical Approach
• Assertion Based Authentication– Overview– Management – SAML as an Adopted Scheme
• Certificate Based Authentication
– Interoperability Lab
![Page 13: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/13.jpg)
13
Assess COTS Interoperability
Evaluate new Scheme against
requirements
PilotMigrate,
Translate, or Both.
Adopt
SchemeAdoption Lifecycle
StartEmergingTechnology
![Page 14: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/14.jpg)
14
Step #2: The user is cookied and redirected to a protocol translator that supports protocols 1 and 2
Step #3: The user is cookied and redirected to the CS with an AAid representing the protocol translator
Step #1: User starts at the portal and selects an AA that uses protocol 2, then a CS that uses protocol 1.
©p
Protocol Translator
Portal
Step #4: The CS Authenticates the user and hands them off to the PT using protocol 1.
CSP1
AAP2
CS
AA
©t PT
Proto2
Proto1
Step #5: The PT hands off the user to
the selected AA using protocol 2
©c
SchemeTranslator
SchemeTranslator
![Page 15: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/15.jpg)
15
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview– Technical Approach
• Assertion Based Authentication– Overview– Management – SAML as an Adopted Scheme
• Certificate Based Authentication
– Interoperability Lab
![Page 16: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/16.jpg)
16
Step 3: User authenticates
To the CS and gets cookie
©p
Step 5: the AA uses the SAML artifact to retrieve user identity and attributes from the CS over SOAP/SSL
Step 4: User is redirected to the selected agency application with a SAML Artifact
Step 2: User gets a cookie with the CS identifier and is redirected to the selected CS with an application identifier
Step 1: User starts at the portal and is guided through the selection of an CS and AA
CS
AAn
Portal
©c
AA
SAML 1.0Artifact ProfileBase Case
![Page 17: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/17.jpg)
17
Step 5: the AA uses the SAML artifact to retrieve user identity and attributes from the CS over SOAP/SSL
©c
Step 2: The AA redirects any unauthenticated user to the portal with the application identifier for authentication. The portal’s cookie is automatically sent along by the browser
Step 4: The CS reads the cookie, determines the user is already logged in, and redirects the user to the AA with a SAML artifact
Step 3: User is redirected to the selected CS from the cookie with the application identifier. The CS’s authentication cookie is automatically send along by the browser
CSn
AAn
Portal
©p
Step 1: User starts at any AA
©c ©p
AA
AA SAML 1.0Artifact Profile Single Sign-On
![Page 18: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/18.jpg)
18
Partner Data Store SAML interaction requires some knowledge about each partner. This data would have to be updated periodically. The data is not sensitive and could be automatically updated
AAn
CS
Portal
Governing Authority
SSL Certificate Authentication: The soap connection can be protected using certificates issued by the governing authority to ensure only approved entities can participate.
Governing Authority: A government authority would maintain records and issue certificates to approved CSs and AAs, but would not be
involved in transactions.
SAML 1.0Artifact ProfileGovernance
![Page 19: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/19.jpg)
19
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview
– Technical Approach• Assertion Based Authentication
• Certificate Based Authentication
– Interoperability Lab
![Page 20: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/20.jpg)
20
XKMS OCSP CAM SOAP ?
©p
Step #1: User goes to Portal to select the AA and ECP
Portal
Step #3: The user authenticates to the AA directly using SSL or TLS.
Validation Service
AA
CA 1
Community 1
CA 4
CA 4b CA 4a
CA 2 Community 2
Bridge
CA 3
Community 3
FPKI
Step #4: The AA uses the validation service to validate the certificate
Step #2: The user is passed directly to the AA
eAuth Trust List
Step #1: User goes to Portal
to select the AA and the CS
ValidationService
![Page 21: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/21.jpg)
21
AA Trusted CAs
©p
Step #1: User goes to Portal to select the AA and ECP
Portal
©c
AA
Validation Software
CA 1
Community 1
CA 4
CA 4b CA 4a
CA 2 Community 2
Bridge
CA 3
Community 3
FPKI
Step #2: The user is passed directly to the AA
Step #3: The user authenticates to the AA directly using SSL or TLS.
Step #4: The local validation software validates the certificate using the local trust list and the FPKI
eAuth Trust List Local Trust List
CA 1
Community 1
CA 3
Community 3
Step #1: User goes to Portal
to select the AA and the CS
LocalValidation
![Page 22: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/22.jpg)
22
Step #2: The user is cookied and redirected to an FPKI protocol translator
Step #5: Once the user authenticates to the PT, they are handed off to the AA as usual.
Step #1: User Starts at the Portal.
©p
Protocol Translator
ECP
AA
Proto1
Portal
AAP1
Validation Service
CA 1
Community 1
CA 4
CA 4b CA 4a
CA 2 Community 2
Bridge
CA 3
Community 3
FPKI
Step #4: The PT uses the validation service to validate the certificate
Step #3: The user authenticates to the AA directly using SSL or TLS.
eAuth Trust List
Step #4: TheST uses thevalidation service tovalidate thecertificate
SchemeTranslator
CertificatesAt LowerAssuranceApplications
![Page 23: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/23.jpg)
23
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview– Technical Approach– Interoperability Lab
• Product Testing• Technical Support• CS / AA Testing
![Page 24: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/24.jpg)
24
©p
CS
AAx
Portal
AAx
©c
AAs ECPs
Users
AuthZ
AAs
CSs
• COTS (Commercial Off The Shelf) Product Testing– Scheme
compliance
– Interoperability
![Page 25: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/25.jpg)
25
Assess COTS Interoperability
Evaluate new Scheme against
requirements
PilotMigrate,
Translate, or Both.
Adopt
SchemeAdoption Lifecycle
Start
• Product Testing– See List of
Approved Vendors
![Page 26: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/26.jpg)
26
AA Trusted CAs
©p
Portal
©c
AA
Validation Software
CA 1
Community 1
CA 4
CA 4b CA 4a
CA 2 Community 2
Bridge
CA 3
Community 3
FPKI
eAuth Trust List Local Trust List
CA 1
Community 1
CA 3
Community 3
• COTS Product Testing– Certificate
Validation
![Page 27: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/27.jpg)
27
E-Authentication Architecture Evolution• Architecture Working Group
• Evaluating Evolving Standards
• Scheme Translators
![Page 28: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/28.jpg)
28
E-Authentication Interoperability Lab• Technical Support
– Interoperability Testing– SAML Conformance Testing– Acceptance Testing– Approved Product List– Cookbook / Recipes
• Extensive Experience in All These Areas
![Page 29: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/29.jpg)
29
E-Authentication – Technical Approach• Agenda
– E-Authentication Overview
– Technical Approach
– Interoperability Lab
![Page 30: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/30.jpg)
30
Resources
• http://www.cio.gov/[email protected]
• Additional ContactsChris Louden - 703-299-3444 [email protected] Chiu - 703-299-3444 [email protected] Lazerowich - 703-299-3444 [email protected] Simonetti - 410-356-2260 [email protected]
![Page 31: E-Authentication Overview & Technical Approach](https://reader035.fdocuments.net/reader035/viewer/2022062408/56813945550346895da0e044/html5/thumbnails/31.jpg)
31
Contact Information
I appreciate your feedback and comments.
I can be reached at:
Scott Lowry
202-236-8221