Embed Size (px)
Citation preview
Karyn Higa-Smith, DHS S&TProgram Manager, Identity & Privacy
Anil John, JHU/APLTechnical Lead, DHS S&T IdM Testbed
September 29, 2009OASIS Identity Management 2009
• Project Timeline• Project Deliverables• Project Guiding Principles• Profile Information– Supported attribute exchange models– Metadata requirements
• COTS Vendor Support• Next Steps
Agenda
2
• Meeting between DHS S&T and DoD DMDC to discuss IdM topics [Sept 2008]
• BAE PoC Project kick-off [Oct 2008]• Project Team (DHS & DoD) tel-cons
every two weeks• Beta BAE reference
implementations based on initial profile work [1Q09]
• Reference implementations & Profile v1.0 DRAFT [June 2009]
• Interoperability Testing
Project Timeline
3
• Profiles are not standards; they are built on top of existing standards
• Guidelines and tests for interoperability• A set of named specifications at specific
revision levels, together with a set of implementation and interoperability guidelines recommending how the specifications may be used to develop interoperable capabilities
What is a “Profile”?
4
What is a BAE?- Backend Attribute Exchange (BAE)
Agency A User w/ PIV Card
Agency B Resource(Web Site / Application)
Auth.Attribute
Store1
Auth. Attribute
Store2
Agency AAttribute Broker
Agency BAttribute Broker
1. Agency A user needs access to or information from Agency B
3. Agency B needs “off-card” info to authorize User A to access resource. It “asks” its own Attribute Authority B
4. Agency B and Agency A communicate to exchange user information about User A
The BAE codifies, at the Federal Level, the technical rules and protocols needed to exchange User Information between Agency A and Agency B
2. User A is Authenticated
5.
5
• SAML V2.0 deployment profiles for BAE as well as informative information on lessons learned, implementation guidance and recommendations
• Proof-of-Concept BAE reference implementations, using synthetic data, stood up within the T&E environments of both DHS S&T and DoD DMDC to facilitate interoperability testing
• Test suites to verify BAE profile compliance
Project Deliverables
6
• Don’t reinvent the wheel!• Leverage existing standards work (OASIS, W3C etc.)• Keep the delta’s between existing standards and this work
to the minimum & unclassified!• Awareness of agency specific work (DOD JEDS, IC UAAS
etc.) but focus on needs of the Inter-Agency Community (w/ future extensions to support the Non-Federal Community)
• Allow for future alternate subject identifiers w/o impacting protocol/security sections of profile
• Allow for ease of implementation/leverage via multiple approaches and technologies
• Support conformance testing• Engage with COTS vendor community to encourage out of
the box support for profile in products
Project Guiding Principles
7
SAML Subject Profile- Federal Agency Smart Credential Number (FASC-N)
8
• The value of the <saml:NameID> element MUST be the character representation of the FASC-N.• The FASC-N character representation
MUST be 32 characters in length and will not include character representations of the start sentinel, end sentinel, field separators and the LRC.
• The character representation MUST be in the order as shown in Fig 5 of the [PACS], excluding start and end sentinels, field separators and the LRC.
• Missing values MUST be filled with zero's if the value is unknown or not set.
BAE ProfileScope
SAML Metadata (All BAEs)1. Org EntityID2. Encryption/Signing
certificate3. Supported
Profiles/Attributes4. Org BAE URL
Supported BAE Model 1– Direct Attribute Exchange
Org A-1AttributeAuthority
Org A-2AttributeAuthority
Org B-1AttributeAuthority
Org B-2AttributeAuthority
Dept BBAE Broker
Dept ABAE Broker
SAML Metadata (All BAEs)1. Org EntityID2. Encryption/Signing
certificate3. Supported
Profiles/Attributes4. Org BAE URL
SSLCommunication secured per
Org policy
Communication secured per
Org policy
Attribute RequesterSystem A
Attribute RequesterSystem B
9
BAE CA• Issues X.509 Certs to BAEs• Issues EntityIDs to BAEs• CN of BAE Cert = EntityID
MetadataService
BAE ProfileScope
SAML Metadata (All BAEs)1. Org EntityID2. Encryption/Signing
certificate3. Supported
Profiles/Attributes4. Org BAE URL
Supported BAE Model 2– Brokered Attribute Exchange
Org AAttributeAuthority
Dept BBAE Broker
Dept ABAE Broker
SSLCommunication
secured per Org policy
Attribute RequesterSystem C
Dept CBAE Svc
Org CAA
Org BAttributeAuthorityCommunication
secured per Org policy
Attribute RequesterSystem D
Dept DBAE Svc
Org DAA
SAML Metadata (All BAEs)1. Org EntityID2. Encryption/Signing
certificate3. Supported
Profiles/Attributes4. Org BAE URL
10
BAE CA• Issues X.509 Certs to BAEs• Issues EntityIDs to BAEs• CN of BAE Cert = EntityID
MetadataService
Metadata (SAML v2)– The Source of All Good Things!
…
Unique Identifierof BAE Broker (OC & OI)
Signing & EncryptionCertificates
URL of BAE Broker
SupportedSubject Identifier Type(s)
Digital Signature(AuthN & Integrity)
11
Metadata (SAML v2)– Cont’d
… SupportedProfile(s)
SupportedAttributes
Contact Information
12
• Web Services/SOA/XML Security– Layer 7 - http://www.layer7tech.com
POC: Adam Vincent, Public Sector CTO– Vordel - http://www.vordel.com
POC: Mark O’Neill, CTO• Entitlement/Privilege Management (PDPs)– BiTKOO – http://www.bitkoo.com
POC: Doron Grinstein, CEO• Federation– Covisint - http://www.covisint.com
POC: Roger Lambert• Ongoing discussions with others…
COTS Vendor Support- To Date
13
• Federal CIO Council ICAMSC Federation Interoperability Working Group is currently working the following open issues:• BAE CA & entityID assignment process
– Recommendation: BAE certificate generation and entityID assignment managed by same entity
– Recommendation: CN of Signing/Encryption Cert == entityID
• Metadata distribution and management– Centralized– Distributed
• Federation Agreement for BAE participants
Next Steps
14
DHS• Karyn Higa-Smith, DHS S&T
• Deborah Gallagher, DHS OCIO• Lauren Davis• Anil John• Christopher Obremski• Thomas Smith• Maria Vachino• Chi Wu
Points of Contact & Project Team
DOD• Lynne Prince, DOD DMDC
• Darroll Love• Larry Fobian• Abhijit Jadeja • Joseph Pini
15
16
