Brad Tumy 2013 Open Stack Identity Summit - France
Tell me WHO are YOU? … ‘Cause I really want to know
@brad_tumy
Agenda
• Identity Assurance
• Identity Assurance Frameworks
• Implementation Requirements
• Typical Architecture Model
@brad_tumy
Who am I? • @brad_tumy
• http://www.linkedin.com/in/bradtumy • Identity & Access Management Consultant • 18 Years of InfoSec (Development & Sys Integration) • Experience:
• Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project
• Tech Engineer on Dept. of Energy FICAM Project
• Tech Engineer on General Service Admin (GSA) FICAM Project
• Tech SME on Dept. of Labor FICAM Project
Brad Tumy 2013 Open Stack Identity Summit - France
So … WHO are YOU?
Brad Tumy 2013 Open Stack Identity Summit - France
Identity Assurance
@brad_tumy
Identity Assurance
Levels of Assurance
Confidence Level Examples
1 Little or no confidence Google (IDP), Facebook (IDP)
2 Some confidence Corporate username and password
3 High confidence 2FA (Smart card, OTP, etc)
4 Very High Confidence Smart Card (but requires in-person identity proofing)
“… the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.”
Brad Tumy 2013 Open Stack Identity Summit - France
Identity Assurance Frameworks
@brad_tumy
A few major Identity Assurance Frameworks
InCommon NSTIC / FICAM
STORK IDAP Pan-Canadian
Swedish eLegitimation
Australian Access Federation (AAF)
National Electronic Authentication Framework
Kantara
@brad_tumy
Identity Assurance Framework Principles
Identity Assurance Principle Control afforded to a user 1. User Control Identity assurance activities can only take place by
user consent
2. Transparency Identity assurance can only take place in ways user understands and when fully informed
3. Multiplicity User can choose as many different identifiers or identity providers as desired
4. Data Minimization Request or transaction uses minimum identity data as necessary
5. Data Quality User chooses when to update records.
6. Service-User Access and Portability User has to be provided copies of user’s data on request; user can move data whenever they choose
7. Governance / Certification All participants in Identity Assurance System must be accredited
8. Problem Resolution Independent Arbitration
9. Exceptional Circumstances Any exceptions have to be approved by Governing body and subject to independent scrutiny
@brad_tumy
Principles / Product Mapping
Identity Assurance Principle OpenAM Configuration
1. User Control User Consent Screen in SAML Transaction
2. Transparency User Consent Screen in SAML Transaction should display attributes being shared and how it is being shared.
3. Multiplicity Identity Proxy / IDP Finder
4. Data Minimization SAML Response should only send required attributes
Brad Tumy 2013 Open Stack Identity Summit - France
Implementation Requirements
@brad_tumy
Implementation Reqs • Identity Provider
• Identity Proxy
• Provide User Consent mechanisms
• Choice of Authentication mechanisms at appropriate LOA
• Identity Proofing
• E.g., Adaptive Risk (e.g. Device Print)
• SAML Response
• Service Provider • Choice of Credential/IDP at
appropriate LOA
• SAML request includes LOA requirement in authentication context attribute
• Manage access according to LOA requirements
Brad Tumy 2013 Open Stack Identity Summit - France
Typical Architecture Model
@brad_tumy
OpenAM IAF Architecture
IDPProxy
LOA1
LOA3
LOA2
LOA 4
IDP1
IDP2
IDP3
SAML Request
SAML Response
http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef=http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1
Example SAML Request:
Supports LOA1 e.g. Google IDP
Supports LOA2
Supports LOA3/4 PKI, 2FA, ETC
@brad_tumy
Customize for Framework <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <Extensions> <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"> <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4 </ns2:AttributeValue> </ns2:Attribute> </ns1:EntityAttributes> </Extensions>
Brad Tumy 2013 Open Stack Identity Summit - France
Questions? Thank you!!
@brad_tumy
Identity Assurance Programs • US, NSTIC
• UK, Cabinet Programme Office
• EU, STORK (https://www.eid-stork.eu/)
• There's Pan-Canadian - you can talk to Colin Walls or Ken Dagg
• UK IDAP - John Bradley has been circling in the space
• Swedish eLegitimation - http://www.e-legitimation.se/Elegitimation/Templates/StartPage.aspx - you can talk to Leif Johanssen
@brad_tumy
ForgeRock Powerpoint Preso Template Secondary Line of Copy
@brad_tumy
All-In-One-Access Management System • One Solution to Protect Them All.
• One Solution to Protect Them All.
• One Solution to Protect Them All. • Second Line • Second Line
Top Related