Interagency Advisory Board (IAB) Meeting · • Provide foundation for exchanging identity...
Transcript of Interagency Advisory Board (IAB) Meeting · • Provide foundation for exchanging identity...
Interagency Advisory Board Meeting Agenda, Wednesday, February 22, 2012
1. Opening Remarks (Mr. Tim Baldridge, IAB Chair)
2. Generic Identity Command Set (GICS): Leveraging PIV to Build a Standard Platform for ID Tokens (Ketan Mehta, NIST)
3. Continuing to Move ICAM into Mobile Computing (Owen Unangst, USDA)
4. The Movement to Use PIV-I (David Belchick, CitiBank)
5. NXP and HID Global Enable Mobile Access for NFC Phones Enabling Options for Storing and Managing PIV(-I) Credentials on Mobile Devices (Julian Lovelock, HID/Actividentity)
6. Cross-Agency Federation: A Demonstration of Federated Identity Trust within the Federal Government and Industry at Level of Assurance 4 (Tim Baldridge, NASA, and Bob Gilson, DoD)
7. Closing Remarks (Mr. Tim Baldridge, IAB Chair)
Federated Identity Access
NASA and TSCP Partners
September 14-16, 2010
Presented to the IAB
April 25, 2012
Demonstration Participants
PAGE 1 | TSCP
Project Demonstration Goals
• Perform a technology demonstration to raise awareness of capabilities
• Show multilateral federated identity access across NASA, DoD, Corporate and Academic identity providers and relying parties
• Show that NASA PIV cards and Launchpad Federated Identity claims are accepted in the TSCP environment
• Demonstrate a federated environment leveraging and distinguishing among high assurance smartcard credentials, PIV, PIV-I, Medium HW
• Demonstrate scenarios that show frequently requested use cases as required by a major NASA Program
• Establish a uniform user experience to the greatest extent possible
• Provide foundation for exchanging identity attributes that can be leveraged for granular authorized access to logical assets
– Supports demonstration of how the medium hardware certificate on NASA PIV Cards can be leveraged for application of TSCP Document Sharing using Identity Federation (DSIF)
PAGE 2 | TSCP
Federal Government Federation Landscape
• Federal ICAM Roadmap and Implementation Guidance 2.0 http://www.idmanagement.gov/documents/FICAM_Roadmap_and_Implementation_Guidance_v2%200_20111202.pdf
• Approved Federal ICAM Trust Framework Providers IdPs http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-IDP
• Adopted Federal ICAM Schemes and Profiles http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework-Scheme
• Trust Framework Adoption Process http://www.idmanagement.gov/pages.cfm/page/ICAM-TrustFramework
• Approved PIV-I Credential Providers http://www.idmanagement.gov/pages.cfm/page/ICAM-PIVI-CSP
PAGE 3 | TSCP
Business Drivers and Benefits
PAGE 4 | TSCP
• Standardize configuration rules for Identity Provider and Relying Party relationships
• Hub Model provides aggregated multi-lateral relationships vs. a large number of difficult to maintain bilateral trusts
Reduce Complexity
• Leverage user’s “home” organization credential & identity life cycle management
• Reduce complexity for relying party / application owners
Reduce Cost
• Easy to use increase productivity
• Facilitates Single Sign-On
• Fewer credentials to remember and manage
• Builds confidence in using enhanced IT solutions
Better User Experience
• Identity Assurance Level maps to NIST SP 800-63
• Strong, vetted, two-factor authentication by leveraging PKI and smartcard investments
• Credentials life cycle management provided by the user’s home organization for more accurate and timely provisioning and de-provisioning
• Leveraging Trust Frameworks further reduces Risk
Improved Security
Federal Government Directive for Use of
Externally-Issued Credentials
5
• In October 2011, the Federal CIO issued the following OMB Memorandum, which falls in
line with the project goals & objectives.
OMB Memorandum Dated 10/6/2011:
“Requirements for Accepting Externally-Issued Identity
Credentials”
The GSDO Program Vision
Launching the world’s most powerful, advanced launch vehicles and spacecraft.
The GSDO Program Mission
To be the driving force that transforms the Kennedy Space Center into the world’s premier multi-user launch and landing
spaceport.
The GSDO Mission Description
The Program's mission is to process and launch the next generation of launch vehicles and spacecraft in support of NASA’s
exploration objectives, and develop the ground systems, infrastructure, and operational approaches to sustainably enable
that mission.
A key aspect of the Program’s approach to long term sustainability and affordability is to make processing and launch
infrastructure available to commercial and other government entities, thereby distributing the fixed cost burden among
multiple users and reducing the cost of access to space for the United States.
The GSDO Program Goals
Goal 1: Provide sustainable, affordable and safe ground operations and integration capabilities required to extend the
human presence across the solar system.
Goal 2: Drive operability into flight and ground systems development.
Goal 3: Optimize ground operations capabilities to enable multiple users.
Goal 4: Share GSDO mission internally and externally.
Goal 5: Strengthen GSDO Program community.
NASA Program Customer:
Ground Systems Development & Operations
6
7
• In late FY11, the Ground Systems Development and Operations (GSDO)
Program approached KSC IT to architect a solution that could facilitate
collaboration with the Air Force and Aerospace Contractors.
• As a result of those discussions, the KSC-based SharePoint 2010 Project
was commissioned to configure, test, and deploy the following solution: – A Partner Extranet SharePoint 2010 environment that provides authenticated access for
external partners and provide unauthenticated access to publicly-available data
•Additional objectives include: – Establish trusts with the third party credential providers (i.e. Air Force, Exostar, etc.)
This capability will serve as a Pilot for NASA, with hopes of transitioning
the service to the Agency
Ground Systems Development & Operations Collaboration Project Background
Identity Provider / Identity Hub
TSCP/NASA Pilot Architecture Overview
PAGE 8 | TSCP
Identity Provider Identity Provider
NASA GSDO SharePoint
TSCP SharePoint Application
WS – Fed
TSCP Profile SAML 2.0
WS - Fed SAML 2.0
Use Case 1: NASA User Accesses TSCP SharePoint Site with NASA Issued PIV Card
Use Case 2: NASA User Accesses TSCP SharePoint Site with NASA Issued PIV Card, NASA
as Federated IdP
Use Case 3: LMCO User Accesses NASA SharePoint Site with LMCO Issued Smart Card
Demonstration Authentication Use Cases
PAGE 9 | TSCP
Use Case 4: DoD User Accesses NASA SharePoint Site with Registered DoD Issued CAC
Use Case 5: DoD User Accesses NASA SharePoint Site with DoD Issued CAC via Hub
Additional Authentication Use Cases
PAGE 10 | TSCP
Use Case 1: NASA PIV Card to ForumPass
via TSCP Exostar MAG UAT
PAGE 11 | TSCP
NASA PIV Card to
TSCP Exostar MAG
UAT
Use Case 1: NASA PIV Card to ForumPass
via TSCP Exostar MAG UAT
PAGE 12 | TSCP
NASA User with Medium Hardware Assurance
AuthN
Use Case 1: NASA PIV Card to ForumPass
via TSCP Exostar MAG UAT
PAGE 13 | TSCP
Use Case 2: NASA IdP to LMCO Sharepoint
PAGE 14 | TSCP
LMCO ADFS Page for
Home realm
selection
Use Case 2: NASA IdP to LMCO Sharepoint
PAGE 15 | TSCP
NASA Access
Launchpad Interface Smartcard Login Selection
Use Case 2: NASA IdP to LMCO Sharepoint
PAGE 16 | TSCP
Use Case 3: LMCO SC to NASA GSDO Site
PAGE 17 | TSCP
Selection of LMCO Federation Login Service
PAGE 18 | TSCP
LMCO Federation Login Coaching
Page
Use Case 3: LMCO SC to NASA GSDO Site
Use Case 3: LMCO SC to NASA GSDO Site
PAGE 19 | TSCP
Claims View shows how identity and authN LoA
is converted into a Federation compatible
format
Use Case 4: DoD CAC to NASA Sharepoint
PAGE 20 | TSCP
mstsc /v:host.domain.com /f
Remote Desktop Login Using DoD CAC in
NASA Consolidated Active Directory
Use Case 4: DoD CAC to NASA Sharepoint
PAGE 21 | TSCP
NASA External DoD CAC Credential Registration
NCAD Windows Integrated Smartcard Logon
LaunchPad Windows Desktop Single-Sign-On
LMCO Federated Identity
-- All Production Systems
Lessons Learned
• Essentially an exercise of mapping our Claims/SAML
assertions to the solution business process
• We were able to establish production trust relationship
in about 45 days, which includes learning curve
• A significantly enhanced user experience can be
provided – an apparent single-sign on
• Effective collaboration mutually leverages experience
and builds trust
• Early involvement of partner SMEs with experience
using established schemes and profiles is critical
PAGE 22 | TSCP
Future Plans | Next Steps
• Review and Update Business Process Mechanisms
• Perform Risk Analysis & Compliance Assessment
• Implement Production Environment Pilot Activity
• Refine enhancements for production service offering
• Build out FICAM conformant infrastructure
• Standardize Relying Party, Identity Provider and
Attribute Provider participation
• Full service implementation
• Leverage additional identity attributes
PAGE 23 | TSCP
Conclusion
• The tested configuration supports strong PKI based
authentication – Medium Hardware and better.
• The federation trust framework allows members to
off-load the burden of lifecycle maintenance for
external identities and credentials.
• In NASA, this means mission programs can focus on
their mission work and offload their ICAM
requirements to a standardized, efficiently operated
Agency service.
• Increases security, ease-of-use for enhanced user
productivity and lower credential and access
management costs.
PAGE 24 | TSCP
Questions?
Dennis Kay
Tim Baldridge
PAGE 25 | TSCP