Interagency Advisory Board Meeting Agenda, Wednesday, February 22, 2012

1. Opening Remarks (Mr. Tim Baldridge, IAB Chair)

2. Generic Identity Command Set (GICS): Leveraging PIV to Build a Standard Platform for ID Tokens (Ketan Mehta, NIST)

3. Continuing to Move ICAM into Mobile Computing (Owen Unangst, USDA)

4. The Movement to Use PIV-I (David Belchick, CitiBank)

5. NXP and HID Global Enable Mobile Access for NFC Phones Enabling Options for Storing and Managing PIV(-I) Credentials on Mobile Devices (Julian Lovelock, HID/Actividentity)

6. Cross-Agency Federation: A Demonstration of Federated Identity Trust within the Federal Government and Industry at Level of Assurance 4 (Tim Baldridge, NASA, and Bob Gilson, DoD)

7. Closing Remarks (Mr. Tim Baldridge, IAB Chair)

Federated Identity Access

NASA and TSCP Partners

September 14-16, 2010

Presented to the IAB

April 25, 2012

Demonstration Participants

PAGE 1 | TSCP

Project Demonstration Goals

• Perform a technology demonstration to raise awareness of capabilities

• Show multilateral federated identity access across NASA, DoD, Corporate and Academic identity providers and relying parties

• Show that NASA PIV cards and Launchpad Federated Identity claims are accepted in the TSCP environment

• Demonstrate a federated environment leveraging and distinguishing among high assurance smartcard credentials, PIV, PIV-I, Medium HW

• Demonstrate scenarios that show frequently requested use cases as required by a major NASA Program

• Establish a uniform user experience to the greatest extent possible

• Provide foundation for exchanging identity attributes that can be leveraged for granular authorized access to logical assets

– Supports demonstration of how the medium hardware certificate on NASA PIV Cards can be leveraged for application of TSCP Document Sharing using Identity Federation (DSIF)

PAGE 2 | TSCP

Federal Government Federation Landscape

• Federal ICAM Roadmap and Implementation Guidance 2.0 http://www.idmanagement.gov/documents/FICAM_Roadmap_and_Implementation_Guidance_v2%200_20111202.pdf

• Approved Federal ICAM Trust Framework Providers IdPs http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP

• Adopted Federal ICAM Schemes and Profiles http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-Scheme

• Trust Framework Adoption Process http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework

• Approved PIV-I Credential Providers http://www.idmanagement.gov/pages.cfm/page/ICAM-PIVI-CSP

PAGE 3 | TSCP

Business Drivers and Benefits

PAGE 4 | TSCP

• Standardize configuration rules for Identity Provider and Relying Party relationships

• Hub Model provides aggregated multi-lateral relationships vs. a large number of difficult to maintain bilateral trusts

Reduce Complexity

• Leverage user’s “home” organization credential & identity life cycle management

• Reduce complexity for relying party / application owners

Reduce Cost

• Easy to use increase productivity

• Facilitates Single Sign-On

• Fewer credentials to remember and manage

• Builds confidence in using enhanced IT solutions

Better User Experience

• Identity Assurance Level maps to NIST SP 800-63

• Strong, vetted, two-factor authentication by leveraging PKI and smartcard investments

• Credentials life cycle management provided by the user’s home organization for more accurate and timely provisioning and de-provisioning

• Leveraging Trust Frameworks further reduces Risk

Improved Security

Federal Government Directive for Use of

Externally-Issued Credentials

5

• In October 2011, the Federal CIO issued the following OMB Memorandum, which falls in

line with the project goals & objectives.

OMB Memorandum Dated 10/6/2011:

“Requirements for Accepting Externally-Issued Identity

Credentials”

The GSDO Program Vision

Launching the world’s most powerful, advanced launch vehicles and spacecraft.

The GSDO Program Mission

To be the driving force that transforms the Kennedy Space Center into the world’s premier multi-user launch and landing

spaceport.

The GSDO Mission Description

The Program's mission is to process and launch the next generation of launch vehicles and spacecraft in support of NASA’s

exploration objectives, and develop the ground systems, infrastructure, and operational approaches to sustainably enable

that mission.

A key aspect of the Program’s approach to long term sustainability and affordability is to make processing and launch

infrastructure available to commercial and other government entities, thereby distributing the fixed cost burden among

multiple users and reducing the cost of access to space for the United States.

The GSDO Program Goals

Goal 1: Provide sustainable, affordable and safe ground operations and integration capabilities required to extend the

human presence across the solar system.

Goal 2: Drive operability into flight and ground systems development.

Goal 3: Optimize ground operations capabilities to enable multiple users.

Goal 4: Share GSDO mission internally and externally.

Goal 5: Strengthen GSDO Program community.

NASA Program Customer:

Ground Systems Development & Operations

6

7

• In late FY11, the Ground Systems Development and Operations (GSDO)

Program approached KSC IT to architect a solution that could facilitate

collaboration with the Air Force and Aerospace Contractors.

• As a result of those discussions, the KSC-based SharePoint 2010 Project

was commissioned to configure, test, and deploy the following solution: – A Partner Extranet SharePoint 2010 environment that provides authenticated access for

external partners and provide unauthenticated access to publicly-available data

•Additional objectives include: – Establish trusts with the third party credential providers (i.e. Air Force, Exostar, etc.)

This capability will serve as a Pilot for NASA, with hopes of transitioning

the service to the Agency

Ground Systems Development & Operations Collaboration Project Background

Identity Provider / Identity Hub

TSCP/NASA Pilot Architecture Overview

PAGE 8 | TSCP

Identity Provider Identity Provider

NASA GSDO SharePoint

TSCP SharePoint Application

WS – Fed

TSCP Profile SAML 2.0

WS - Fed SAML 2.0

Use Case 1: NASA User Accesses TSCP SharePoint Site with NASA Issued PIV Card

Use Case 2: NASA User Accesses TSCP SharePoint Site with NASA Issued PIV Card, NASA

as Federated IdP

Use Case 3: LMCO User Accesses NASA SharePoint Site with LMCO Issued Smart Card

Demonstration Authentication Use Cases

PAGE 9 | TSCP

Use Case 4: DoD User Accesses NASA SharePoint Site with Registered DoD Issued CAC

Use Case 5: DoD User Accesses NASA SharePoint Site with DoD Issued CAC via Hub

Additional Authentication Use Cases

PAGE 10 | TSCP

Use Case 1: NASA PIV Card to ForumPass

via TSCP Exostar MAG UAT

PAGE 11 | TSCP

NASA PIV Card to

TSCP Exostar MAG

UAT

Use Case 1: NASA PIV Card to ForumPass

via TSCP Exostar MAG UAT

PAGE 12 | TSCP

NASA User with Medium Hardware Assurance

AuthN

Use Case 1: NASA PIV Card to ForumPass

via TSCP Exostar MAG UAT

PAGE 13 | TSCP

Use Case 2: NASA IdP to LMCO Sharepoint

PAGE 14 | TSCP

LMCO ADFS Page for

Home realm

selection

Use Case 2: NASA IdP to LMCO Sharepoint

PAGE 15 | TSCP

NASA Access

Launchpad Interface Smartcard Login Selection

Use Case 2: NASA IdP to LMCO Sharepoint

PAGE 16 | TSCP

Use Case 3: LMCO SC to NASA GSDO Site

PAGE 17 | TSCP

Selection of LMCO Federation Login Service

PAGE 18 | TSCP

LMCO Federation Login Coaching

Page

Use Case 3: LMCO SC to NASA GSDO Site

Use Case 3: LMCO SC to NASA GSDO Site

PAGE 19 | TSCP

Claims View shows how identity and authN LoA

is converted into a Federation compatible

format

Use Case 4: DoD CAC to NASA Sharepoint

PAGE 20 | TSCP

mstsc /v:host.domain.com /f

Remote Desktop Login Using DoD CAC in

NASA Consolidated Active Directory

Use Case 4: DoD CAC to NASA Sharepoint

PAGE 21 | TSCP

NASA External DoD CAC Credential Registration

NCAD Windows Integrated Smartcard Logon

LaunchPad Windows Desktop Single-Sign-On

LMCO Federated Identity

-- All Production Systems

Lessons Learned

• Essentially an exercise of mapping our Claims/SAML

assertions to the solution business process

• We were able to establish production trust relationship

in about 45 days, which includes learning curve

• A significantly enhanced user experience can be

provided – an apparent single-sign on

• Effective collaboration mutually leverages experience

and builds trust

• Early involvement of partner SMEs with experience

using established schemes and profiles is critical

PAGE 22 | TSCP

Future Plans | Next Steps

• Review and Update Business Process Mechanisms

• Perform Risk Analysis & Compliance Assessment

• Implement Production Environment Pilot Activity

• Refine enhancements for production service offering

• Build out FICAM conformant infrastructure

• Standardize Relying Party, Identity Provider and

Attribute Provider participation

• Full service implementation

• Leverage additional identity attributes

PAGE 23 | TSCP

Conclusion

• The tested configuration supports strong PKI based

authentication – Medium Hardware and better.

• The federation trust framework allows members to

off-load the burden of lifecycle maintenance for

external identities and credentials.

• In NASA, this means mission programs can focus on

their mission work and offload their ICAM

requirements to a standardized, efficiently operated

Agency service.

• Increases security, ease-of-use for enhanced user

productivity and lower credential and access

management costs.

PAGE 24 | TSCP

Questions?

Dennis Kay

dennis.r.kay@nasa.gov

Tim Baldridge

tim.baldridge@nasa.gov

PAGE 25 | TSCP