3. Who am I?
•
@brad_tumy
• http://www.linkedin.com/in/bradtumy
• Identity & Access Management Consultant
• 18 Years of InfoSec (Development & Sys Integration)
• Experience:
• Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project
• Tech Engineer on Dept. of Energy FICAM Project
• Tech Engineer on General Service Admin (GSA) FICAM Project
• Tech SME on Dept. of Labor FICAM Project
@brad_tumy
6. Identity Assurance
“… the ability for a party to determine, with some level of certainty, that an
electronic credential representing an entity - whether a human or a
machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.”
Levels of
Assurance
Confidence Level
Examples
1
Little or no confidence
Google (IDP), Facebook (IDP)
2
Some confidence
Corporate username and
password
3
High confidence
2FA (Smart card, OTP, etc)
4
Very High Confidence
Smart Card (but requires inperson identity proofing)
@brad_tumy
7. Brad Tumy
2013 Open Stack Identity Summit - France
Identity Assurance
Frameworks
8. A few major Identity
Assurance Frameworks
Swedish eLegitimation
Pan-Canadian
STORK
InCommon
Kantara
IDAP
NSTIC /
FICAM
Australian Access
Federation (AAF)
National Electronic
Authentication Framework
@brad_tumy
9. Identity Assurance
Framework Principles
Identity Assurance Principle
Control afforded to a user
1. User Control
Identity assurance activities can only take place by
user consent
2. Transparency
Identity assurance can only take place in ways user
understands and when fully informed
3. Multiplicity
User can choose as many different identifiers or
identity providers as desired
4. Data Minimization
Request or transaction uses minimum identity data as
necessary
5. Data Quality
User chooses when to update records.
6. Service-User Access and Portability
User has to be provided copies of user’s data on
request; user can move data whenever they choose
7. Governance / Certification
All participants in Identity Assurance System must be
accredited
8. Problem Resolution
Independent Arbitration
9. Exceptional Circumstances
Any exceptions have to be approved by Governing
body and subject to independent scrutiny
@brad_tumy
10. Principles / Product
Mapping
Identity Assurance Principle
1. User Control
User Consent Screen in SAML Transaction
2. Transparency
User Consent Screen in SAML Transaction
should display attributes being shared and
how it is being shared.
3. Multiplicity
Identity Proxy / IDP Finder
4. Data Minimization
@brad_tumy
OpenAM Configuration
SAML Response should only send required
attributes
11. Brad Tumy
2013 Open Stack Identity Summit - France
Implementation Requirements
12. Implementation Reqs
• Service Provider
• Choice of Credential/IDP at
•
Identity Provider
•
Identity Proxy
•
Provide User Consent
appropriate LOA
• SAML request includes LOA
mechanisms
requirement in authentication
context attribute
•
Choice of Authentication
mechanisms at appropriate
• Manage access according to
LOA
LOA requirements
•
Identity Proofing
•
@brad_tumy
E.g., Adaptive Risk (e.g. Device
Print)
13. Brad Tumy
2013 Open Stack Identity Summit - France
Typical Architecture Model
14. OpenAM IAF
Architecture
IDP1
IDP2
Supports LOA1
e.g. Google IDP
SAML Request
LOA1
Supports LOA2
LOA2
IDP
Proxy
IDP3
Supports LOA3/4
PKI, 2FA, ETC
LOA3
LOA 4
SAML Response
Example SAML Request:
http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/
sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef=
http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1
@brad_tumy
17. Identity Assurance
Programs
• US, NSTIC
• UK, Cabinet Programme Office
• EU, STORK (https://www.eid-stork.eu/)
• There's Pan-Canadian - you can talk to Colin
Walls or Ken Dagg
• UK IDAP - John Bradley has been circling in the
space
• Swedish eLegitimation @brad_tumy
http://www.e-legitimation.se/Elegitimation/