Brad Tumy

2013 Open Stack Identity Summit - France

Tell me WHO are YOU?
… ‘Cause I really want to know
Agenda
• 

Identity Assurance

• 

Identity Assurance
Frameworks

• 

Implementation
Requirements

• 

Typical Architecture Model

@brad_tumy
Who am I?
• 

@brad_tumy

•  http://www.linkedin.com/in/bradtumy
•  Identity & Access Management Consultant
•  18 Years of InfoSec (Development & Sys Integration)
•  Experience:
•  Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project
•  Tech Engineer on Dept. of Energy FICAM Project
•  Tech Engineer on General Service Admin (GSA) FICAM Project
•  Tech SME on Dept. of Labor FICAM Project
@brad_tumy
Brad Tumy

2013 Open Stack Identity Summit - France

So … WHO are YOU?
Brad Tumy

2013 Open Stack Identity Summit - France

Identity Assurance
Identity Assurance
“… the ability for a party to determine, with some level of certainty, that an
electronic credential representing an entity - whether a human or a
machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.”

Levels of
Assurance

Confidence Level

Examples

1

Little or no confidence

Google (IDP), Facebook (IDP)

2

Some confidence

Corporate username and
password

3

High confidence

2FA (Smart card, OTP, etc)

4

Very High Confidence

Smart Card (but requires inperson identity proofing)

@brad_tumy
Brad Tumy

2013 Open Stack Identity Summit - France

Identity Assurance
Frameworks
A few major Identity
Assurance Frameworks
Swedish eLegitimation
Pan-Canadian

STORK

InCommon
Kantara

IDAP

NSTIC /
FICAM
Australian Access
Federation (AAF)
National Electronic
Authentication Framework

@brad_tumy
Identity Assurance
Framework Principles
Identity Assurance Principle

Control afforded to a user

1. User Control

Identity assurance activities can only take place by
user consent

2. Transparency

Identity assurance can only take place in ways user
understands and when fully informed

3. Multiplicity

User can choose as many different identifiers or
identity providers as desired

4. Data Minimization

Request or transaction uses minimum identity data as
necessary

5. Data Quality

User chooses when to update records.

6. Service-User Access and Portability

User has to be provided copies of user’s data on
request; user can move data whenever they choose

7. Governance / Certification

All participants in Identity Assurance System must be
accredited

8. Problem Resolution

Independent Arbitration

9. Exceptional Circumstances

Any exceptions have to be approved by Governing
body and subject to independent scrutiny

@brad_tumy
Principles / Product
Mapping
Identity Assurance Principle
1. User Control

User Consent Screen in SAML Transaction

2. Transparency

User Consent Screen in SAML Transaction
should display attributes being shared and
how it is being shared.

3. Multiplicity

Identity Proxy / IDP Finder

4. Data Minimization

@brad_tumy

OpenAM Configuration

SAML Response should only send required
attributes
Brad Tumy

2013 Open Stack Identity Summit - France

Implementation Requirements
Implementation Reqs
•  Service Provider
•  Choice of Credential/IDP at

• 

Identity Provider
• 

Identity Proxy

• 

Provide User Consent

appropriate LOA
•  SAML request includes LOA

mechanisms

requirement in authentication
context attribute

• 

Choice of Authentication
mechanisms at appropriate

•  Manage access according to

LOA

LOA requirements
• 

Identity Proofing
• 

@brad_tumy

E.g., Adaptive Risk (e.g. Device
Print)
Brad Tumy

2013 Open Stack Identity Summit - France

Typical Architecture Model
OpenAM IAF
Architecture
IDP1

IDP2

Supports LOA1
e.g. Google IDP

SAML Request
LOA1

Supports LOA2

LOA2

IDP
Proxy
IDP3

Supports LOA3/4
PKI, 2FA, ETC

LOA3

LOA 4
SAML Response

Example SAML Request:
http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/
sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef=
http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1
@brad_tumy
Customize for
Framework
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML:
2.0:metadata">
<Extensions>
<ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute">
<ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML:
2.0:assertion">
<ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1
</ns2:AttributeValue>
<ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2
</ns2:AttributeValue>
<ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3
</ns2:AttributeValue>
<ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4
</ns2:AttributeValue>
</ns2:Attribute>
</ns1:EntityAttributes>
</Extensions>
@brad_tumy
Brad Tumy

2013 Open Stack Identity Summit - France

Questions?
Thank you!!
Identity Assurance
Programs
•  US, NSTIC
•  UK, Cabinet Programme Office
•  EU, STORK (https://www.eid-stork.eu/)
•  There's Pan-Canadian - you can talk to Colin
Walls or Ken Dagg
•  UK IDAP - John Bradley has been circling in the
space
•  Swedish eLegitimation @brad_tumy
http://www.e-legitimation.se/Elegitimation/
ForgeRock Powerpoint
Preso Template
Secondary Line of Copy

@brad_tumy
All-In-One-Access
Management System
• 

One Solution to Protect Them All.

• 

One Solution to Protect Them All.

• 

One Solution to Protect Them All.
•  Second Line
•  Second Line

@brad_tumy

Implementing eGov

  • 1.
    Brad Tumy 2013 OpenStack Identity Summit - France Tell me WHO are YOU? … ‘Cause I really want to know
  • 2.
  • 3.
    Who am I? •  @brad_tumy • http://www.linkedin.com/in/bradtumy •  Identity & Access Management Consultant •  18 Years of InfoSec (Development & Sys Integration) •  Experience: •  Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project •  Tech Engineer on Dept. of Energy FICAM Project •  Tech Engineer on General Service Admin (GSA) FICAM Project •  Tech SME on Dept. of Labor FICAM Project @brad_tumy
  • 4.
    Brad Tumy 2013 OpenStack Identity Summit - France So … WHO are YOU?
  • 5.
    Brad Tumy 2013 OpenStack Identity Summit - France Identity Assurance
  • 6.
    Identity Assurance “… theability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.” Levels of Assurance Confidence Level Examples 1 Little or no confidence Google (IDP), Facebook (IDP) 2 Some confidence Corporate username and password 3 High confidence 2FA (Smart card, OTP, etc) 4 Very High Confidence Smart Card (but requires inperson identity proofing) @brad_tumy
  • 7.
    Brad Tumy 2013 OpenStack Identity Summit - France Identity Assurance Frameworks
  • 8.
    A few majorIdentity Assurance Frameworks Swedish eLegitimation Pan-Canadian STORK InCommon Kantara IDAP NSTIC / FICAM Australian Access Federation (AAF) National Electronic Authentication Framework @brad_tumy
  • 9.
    Identity Assurance Framework Principles IdentityAssurance Principle Control afforded to a user 1. User Control Identity assurance activities can only take place by user consent 2. Transparency Identity assurance can only take place in ways user understands and when fully informed 3. Multiplicity User can choose as many different identifiers or identity providers as desired 4. Data Minimization Request or transaction uses minimum identity data as necessary 5. Data Quality User chooses when to update records. 6. Service-User Access and Portability User has to be provided copies of user’s data on request; user can move data whenever they choose 7. Governance / Certification All participants in Identity Assurance System must be accredited 8. Problem Resolution Independent Arbitration 9. Exceptional Circumstances Any exceptions have to be approved by Governing body and subject to independent scrutiny @brad_tumy
  • 10.
    Principles / Product Mapping IdentityAssurance Principle 1. User Control User Consent Screen in SAML Transaction 2. Transparency User Consent Screen in SAML Transaction should display attributes being shared and how it is being shared. 3. Multiplicity Identity Proxy / IDP Finder 4. Data Minimization @brad_tumy OpenAM Configuration SAML Response should only send required attributes
  • 11.
    Brad Tumy 2013 OpenStack Identity Summit - France Implementation Requirements
  • 12.
    Implementation Reqs •  ServiceProvider •  Choice of Credential/IDP at •  Identity Provider •  Identity Proxy •  Provide User Consent appropriate LOA •  SAML request includes LOA mechanisms requirement in authentication context attribute •  Choice of Authentication mechanisms at appropriate •  Manage access according to LOA LOA requirements •  Identity Proofing •  @brad_tumy E.g., Adaptive Risk (e.g. Device Print)
  • 13.
    Brad Tumy 2013 OpenStack Identity Summit - France Typical Architecture Model
  • 14.
    OpenAM IAF Architecture IDP1 IDP2 Supports LOA1 e.g.Google IDP SAML Request LOA1 Supports LOA2 LOA2 IDP Proxy IDP3 Supports LOA3/4 PKI, 2FA, ETC LOA3 LOA 4 SAML Response Example SAML Request: http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/ sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef= http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 @brad_tumy
  • 15.
    Customize for Framework <?xml version="1.0"encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML: 2.0:metadata"> <Extensions> <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"> <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML: 2.0:assertion"> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4 </ns2:AttributeValue> </ns2:Attribute> </ns1:EntityAttributes> </Extensions> @brad_tumy
  • 16.
    Brad Tumy 2013 OpenStack Identity Summit - France Questions? Thank you!!
  • 17.
    Identity Assurance Programs •  US,NSTIC •  UK, Cabinet Programme Office •  EU, STORK (https://www.eid-stork.eu/) •  There's Pan-Canadian - you can talk to Colin Walls or Ken Dagg •  UK IDAP - John Bradley has been circling in the space •  Swedish eLegitimation @brad_tumy http://www.e-legitimation.se/Elegitimation/
  • 18.
  • 19.
    All-In-One-Access Management System •  One Solutionto Protect Them All. •  One Solution to Protect Them All. •  One Solution to Protect Them All. •  Second Line •  Second Line @brad_tumy