ForgeRock, profile picture
Uploaded byForgeRock
PDF, PPTX2,415 views

Implementing eGov

Brad Tumy gave a presentation on identity assurance at the 2013 Open Stack Identity Summit in France. The presentation covered topics such as levels of identity assurance, common identity assurance frameworks, implementation requirements, and a typical identity assurance architecture model. It discussed using identity assurance to determine the level of certainty that an electronic credential represents the actual entity it claims to.

Embed presentation

Download as PDF, PPTX
Brad Tumy 2013 Open Stack Identity Summit - France Tell me WHO are YOU? … ‘Cause I really want to know
Agenda •  Identity Assurance •  Identity Assurance Frameworks •  Implementation Requirements •  Typical Architecture Model @brad_tumy
Who am I? •  @brad_tumy •  http://www.linkedin.com/in/bradtumy •  Identity & Access Management Consultant •  18 Years of InfoSec (Development & Sys Integration) •  Experience: •  Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project •  Tech Engineer on Dept. of Energy FICAM Project •  Tech Engineer on General Service Admin (GSA) FICAM Project •  Tech SME on Dept. of Labor FICAM Project @brad_tumy
Brad Tumy 2013 Open Stack Identity Summit - France So … WHO are YOU?
Brad Tumy 2013 Open Stack Identity Summit - France Identity Assurance
Identity Assurance “… the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.” Levels of Assurance Confidence Level Examples 1 Little or no confidence Google (IDP), Facebook (IDP) 2 Some confidence Corporate username and password 3 High confidence 2FA (Smart card, OTP, etc) 4 Very High Confidence Smart Card (but requires inperson identity proofing) @brad_tumy
Brad Tumy 2013 Open Stack Identity Summit - France Identity Assurance Frameworks
A few major Identity Assurance Frameworks Swedish eLegitimation Pan-Canadian STORK InCommon Kantara IDAP NSTIC / FICAM Australian Access Federation (AAF) National Electronic Authentication Framework @brad_tumy
Identity Assurance Framework Principles Identity Assurance Principle Control afforded to a user 1. User Control Identity assurance activities can only take place by user consent 2. Transparency Identity assurance can only take place in ways user understands and when fully informed 3. Multiplicity User can choose as many different identifiers or identity providers as desired 4. Data Minimization Request or transaction uses minimum identity data as necessary 5. Data Quality User chooses when to update records. 6. Service-User Access and Portability User has to be provided copies of user’s data on request; user can move data whenever they choose 7. Governance / Certification All participants in Identity Assurance System must be accredited 8. Problem Resolution Independent Arbitration 9. Exceptional Circumstances Any exceptions have to be approved by Governing body and subject to independent scrutiny @brad_tumy
Principles / Product Mapping Identity Assurance Principle 1. User Control User Consent Screen in SAML Transaction 2. Transparency User Consent Screen in SAML Transaction should display attributes being shared and how it is being shared. 3. Multiplicity Identity Proxy / IDP Finder 4. Data Minimization @brad_tumy OpenAM Configuration SAML Response should only send required attributes
Brad Tumy 2013 Open Stack Identity Summit - France Implementation Requirements
Implementation Reqs •  Service Provider •  Choice of Credential/IDP at •  Identity Provider •  Identity Proxy •  Provide User Consent appropriate LOA •  SAML request includes LOA mechanisms requirement in authentication context attribute •  Choice of Authentication mechanisms at appropriate •  Manage access according to LOA LOA requirements •  Identity Proofing •  @brad_tumy E.g., Adaptive Risk (e.g. Device Print)
Brad Tumy 2013 Open Stack Identity Summit - France Typical Architecture Model
OpenAM IAF Architecture IDP1 IDP2 Supports LOA1 e.g. Google IDP SAML Request LOA1 Supports LOA2 LOA2 IDP Proxy IDP3 Supports LOA3/4 PKI, 2FA, ETC LOA3 LOA 4 SAML Response Example SAML Request: http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/ sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef= http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 @brad_tumy
Customize for Framework <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML: 2.0:metadata"> <Extensions> <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"> <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML: 2.0:assertion"> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4 </ns2:AttributeValue> </ns2:Attribute> </ns1:EntityAttributes> </Extensions> @brad_tumy
Brad Tumy 2013 Open Stack Identity Summit - France Questions? Thank you!!
Identity Assurance Programs •  US, NSTIC •  UK, Cabinet Programme Office •  EU, STORK (https://www.eid-stork.eu/) •  There's Pan-Canadian - you can talk to Colin Walls or Ken Dagg •  UK IDAP - John Bradley has been circling in the space •  Swedish eLegitimation @brad_tumy http://www.e-legitimation.se/Elegitimation/
ForgeRock Powerpoint Preso Template Secondary Line of Copy @brad_tumy
All-In-One-Access Management System •  One Solution to Protect Them All. •  One Solution to Protect Them All. •  One Solution to Protect Them All. •  Second Line •  Second Line @brad_tumy

More Related Content

PPTX
Identity Management with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
PPTX
Webinar: OpenAM 12.0 - New Featurs
byForgeRock
 
PPTX
OpenAM - An Introduction
byForgeRock
 
PPTX
OIS Architecture Review
byForgeRock
 
PPTX
OpenAM: An Introduction
byForgeRock
 
PPT
Incredible Edible Identity
byForgeRock
 
PDF
OpenAM Best Practices - Corelio Media Case Study
byForgeRock
 
PPTX
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
byForgeRock
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
Webinar: OpenAM 12.0 - New Featurs
byForgeRock
 
OpenAM - An Introduction
byForgeRock
 
OIS Architecture Review
byForgeRock
 
OpenAM: An Introduction
byForgeRock
 
Incredible Edible Identity
byForgeRock
 
OpenAM Best Practices - Corelio Media Case Study
byForgeRock
 
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
byForgeRock
 

What's hot

PPT
THE FORGEROCK PLATFORM BIG PICTURE
byForgeRock
 
PDF
Federation in Practice
byForgeRock
 
PDF
Identity as a Managed Cloud Service
byForgeRock
 
PPTX
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
byForgeRock
 
PPT
Open Identity Stack Roadmap
byForgeRock
 
PPTX
Directory Services with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
PPTX
Webinar: OpenIDM 3.1
byForgeRock
 
PPTX
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
byForgeRock
 
PPTX
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
byForgeRock
 
PPTX
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
byForgeRock
 
PPTX
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
byForgeRock
 
PPTX
OpenDJ - An Introduction
byForgeRock
 
PPTX
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
byForgeRock
 
PDF
Pimping the ForgeRock Identity Platform for a Billion Users
byForgeRock
 
PDF
ForgeRock Platform Release - Summer 2016
byForgeRock
 
PPTX
WSO2 Identity Server 5.3.0 - Product Release Webinar
byWSO2
 
PDF
Integrating FIDO Authentication & Federation Protocols
byFIDO Alliance
 
PDF
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
byMike Schwartz
 
PDF
Bring your own Identity (BYOID) with WSO2 Identity Server
byWSO2
 
PDF
The Future is Now: What’s New in ForgeRock Access Management
byForgeRock
 
THE FORGEROCK PLATFORM BIG PICTURE
byForgeRock
 
Federation in Practice
byForgeRock
 
Identity as a Managed Cloud Service
byForgeRock
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
byForgeRock
 
Open Identity Stack Roadmap
byForgeRock
 
Directory Services with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
Webinar: OpenIDM 3.1
byForgeRock
 
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
byForgeRock
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
byForgeRock
 
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
byForgeRock
 
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
byForgeRock
 
OpenDJ - An Introduction
byForgeRock
 
OpenIDM - Flexible Provisioning Platform - April 28 Webinar
byForgeRock
 
Pimping the ForgeRock Identity Platform for a Billion Users
byForgeRock
 
ForgeRock Platform Release - Summer 2016
byForgeRock
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
byWSO2
 
Integrating FIDO Authentication & Federation Protocols
byFIDO Alliance
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
byMike Schwartz
 
Bring your own Identity (BYOID) with WSO2 Identity Server
byWSO2
 
The Future is Now: What’s New in ForgeRock Access Management
byForgeRock
 

Similar to Implementing eGov

PPTX
Campus Consortium EdTalks Featuring Clemson University
byCampus Consortium
 
PPT
Federated Futures (Nicole Harris)
byJISC.AM
 
PPT
Identity as a Service
byPrabath Siriwardena
 
PPT
Identity 2.0 and User-Centric Identity
byOliver Pfaff
 
PPT
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
bye-Xpert Solutions SA
 
PDF
A model for privacy-enhance federated identity management
byrhoerbe1
 
PPTX
unit 1 Federated Identity Management_4.pptx
byzmulani8
 
PPT
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
byPreethamS41
 
PPTX
Managing Identities in the World of APIs
byApigee | Google Cloud
 
PDF
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
byJean-François LOMBARDO
 
PDF
PSCR 2019 - ICAM Standards
byAdam Lewis
 
PDF
50 data principles for loosely coupled identity management v1 0
byGanesh Prasad
 
PPTX
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
byLance Peterman
 
PPTX
Access management
byVenkatesh Jambulingam
 
PPTX
Converge Leveraging Identity With Professional Open Source Final
byGonow
 
PPTX
unit4.pptx
byApurvSingh65
 
PPTX
Identity and User Access Management.pptx
byirfanullahkhan64
 
PPTX
Age Verification: Reaching a Tipping Point
byDr Rachel O'Connell
 
PDF
Practical Federated Identity
byWSO2
 
PDF
Understanding Identity Management and Security.
byChinatu Uzuegbu
 
Campus Consortium EdTalks Featuring Clemson University
byCampus Consortium
 
Federated Futures (Nicole Harris)
byJISC.AM
 
Identity as a Service
byPrabath Siriwardena
 
Identity 2.0 and User-Centric Identity
byOliver Pfaff
 
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
bye-Xpert Solutions SA
 
A model for privacy-enhance federated identity management
byrhoerbe1
 
unit 1 Federated Identity Management_4.pptx
byzmulani8
 
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
byPreethamS41
 
Managing Identities in the World of APIs
byApigee | Google Cloud
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
byJean-François LOMBARDO
 
PSCR 2019 - ICAM Standards
byAdam Lewis
 
50 data principles for loosely coupled identity management v1 0
byGanesh Prasad
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
byLance Peterman
 
Access management
byVenkatesh Jambulingam
 
Converge Leveraging Identity With Professional Open Source Final
byGonow
 
unit4.pptx
byApurvSingh65
 
Identity and User Access Management.pptx
byirfanullahkhan64
 
Age Verification: Reaching a Tipping Point
byDr Rachel O'Connell
 
Practical Federated Identity
byWSO2
 
Understanding Identity Management and Security.
byChinatu Uzuegbu
 

More from ForgeRock

PDF
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
byForgeRock
 
PPTX
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
byForgeRock
 
PDF
Identity Live Sydney: Identity Management - A Strategic Opportunity
byForgeRock
 
PDF
Identity Live Singapore: Transform Your Cybersecurity Capability
byForgeRock
 
PDF
Identity Live Singapore 2018 Keynote Presentation
byForgeRock
 
PDF
Identity Live Sydney 2018 Keynote Presentation
byForgeRock
 
PDF
Identity Live Singapore: Just Ask 'Em
byForgeRock
 
PDF
Identity Live Singapore: Building Trust & Privacy in a Connected Society
byForgeRock
 
PDF
Identity Live Sydney: Intelligent Authentication
byForgeRock
 
PDF
Identity Live Sydney: Building Trust and Privacy in a Connected Society
byForgeRock
 
PDF
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
byForgeRock
 
PPTX
Get the Exact Identity Solution You Need - In the Cloud - Overview
byForgeRock
 
PDF
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
byForgeRock
 
PDF
Opening Keynote (Identity Live Berlin 2018)
byForgeRock
 
PDF
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
byForgeRock
 
PDF
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
byForgeRock
 
PDF
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
byForgeRock
 
PDF
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
byForgeRock
 
PDF
Shift from GDPR readiness to sustained compliance to improve your business an...
byForgeRock
 
PDF
Intelligent Authentication (Identity Live Berlin 2018)
byForgeRock
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
byForgeRock
 
Get the Exact Identity Solution You Need - In the Cloud - AWS and Beyond
byForgeRock
 
Identity Live Sydney: Identity Management - A Strategic Opportunity
byForgeRock
 
Identity Live Singapore: Transform Your Cybersecurity Capability
byForgeRock
 
Identity Live Singapore 2018 Keynote Presentation
byForgeRock
 
Identity Live Sydney 2018 Keynote Presentation
byForgeRock
 
Identity Live Singapore: Just Ask 'Em
byForgeRock
 
Identity Live Singapore: Building Trust & Privacy in a Connected Society
byForgeRock
 
Identity Live Sydney: Intelligent Authentication
byForgeRock
 
Identity Live Sydney: Building Trust and Privacy in a Connected Society
byForgeRock
 
Get the Exact Identity Solution you Need in the Cloud - Deep Dive
byForgeRock
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
byForgeRock
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
byForgeRock
 
Opening Keynote (Identity Live Berlin 2018)
byForgeRock
 
Steinberg - Customer identity as the cornerstone of our approach to digitaliz...
byForgeRock
 
BMW Group - Identity Enables the Next 100 Years.. (Identity Live Berlin 2018)
byForgeRock
 
Trust is Everything - The Future of Identity and the ForgeRock Platform (Iden...
byForgeRock
 
Silo Busters- The Value of User and Data Centricity beyond IoT Devices (Ident...
byForgeRock
 
Shift from GDPR readiness to sustained compliance to improve your business an...
byForgeRock
 
Intelligent Authentication (Identity Live Berlin 2018)
byForgeRock
 

Recently uploaded

PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Workflow and decision Automation with Flowable
bychakib ch
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 

Implementing eGov

  • 1.
    Brad Tumy 2013 OpenStack Identity Summit - France Tell me WHO are YOU? … ‘Cause I really want to know
  • 2.
  • 3.
    Who am I? •  @brad_tumy • http://www.linkedin.com/in/bradtumy •  Identity & Access Management Consultant •  18 Years of InfoSec (Development & Sys Integration) •  Experience: •  Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project •  Tech Engineer on Dept. of Energy FICAM Project •  Tech Engineer on General Service Admin (GSA) FICAM Project •  Tech SME on Dept. of Labor FICAM Project @brad_tumy
  • 4.
    Brad Tumy 2013 OpenStack Identity Summit - France So … WHO are YOU?
  • 5.
    Brad Tumy 2013 OpenStack Identity Summit - France Identity Assurance
  • 6.
    Identity Assurance “… theability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.” Levels of Assurance Confidence Level Examples 1 Little or no confidence Google (IDP), Facebook (IDP) 2 Some confidence Corporate username and password 3 High confidence 2FA (Smart card, OTP, etc) 4 Very High Confidence Smart Card (but requires inperson identity proofing) @brad_tumy
  • 7.
    Brad Tumy 2013 OpenStack Identity Summit - France Identity Assurance Frameworks
  • 8.
    A few majorIdentity Assurance Frameworks Swedish eLegitimation Pan-Canadian STORK InCommon Kantara IDAP NSTIC / FICAM Australian Access Federation (AAF) National Electronic Authentication Framework @brad_tumy
  • 9.
    Identity Assurance Framework Principles IdentityAssurance Principle Control afforded to a user 1. User Control Identity assurance activities can only take place by user consent 2. Transparency Identity assurance can only take place in ways user understands and when fully informed 3. Multiplicity User can choose as many different identifiers or identity providers as desired 4. Data Minimization Request or transaction uses minimum identity data as necessary 5. Data Quality User chooses when to update records. 6. Service-User Access and Portability User has to be provided copies of user’s data on request; user can move data whenever they choose 7. Governance / Certification All participants in Identity Assurance System must be accredited 8. Problem Resolution Independent Arbitration 9. Exceptional Circumstances Any exceptions have to be approved by Governing body and subject to independent scrutiny @brad_tumy
  • 10.
    Principles / Product Mapping IdentityAssurance Principle 1. User Control User Consent Screen in SAML Transaction 2. Transparency User Consent Screen in SAML Transaction should display attributes being shared and how it is being shared. 3. Multiplicity Identity Proxy / IDP Finder 4. Data Minimization @brad_tumy OpenAM Configuration SAML Response should only send required attributes
  • 11.
    Brad Tumy 2013 OpenStack Identity Summit - France Implementation Requirements
  • 12.
    Implementation Reqs •  ServiceProvider •  Choice of Credential/IDP at •  Identity Provider •  Identity Proxy •  Provide User Consent appropriate LOA •  SAML request includes LOA mechanisms requirement in authentication context attribute •  Choice of Authentication mechanisms at appropriate •  Manage access according to LOA LOA requirements •  Identity Proofing •  @brad_tumy E.g., Adaptive Risk (e.g. Device Print)
  • 13.
    Brad Tumy 2013 OpenStack Identity Summit - France Typical Architecture Model
  • 14.
    OpenAM IAF Architecture IDP1 IDP2 Supports LOA1 e.g.Google IDP SAML Request LOA1 Supports LOA2 LOA2 IDP Proxy IDP3 Supports LOA3/4 PKI, 2FA, ETC LOA3 LOA 4 SAML Response Example SAML Request: http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/ sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef= http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 @brad_tumy
  • 15.
    Customize for Framework <?xml version="1.0"encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML: 2.0:metadata"> <Extensions> <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"> <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML: 2.0:assertion"> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4 </ns2:AttributeValue> </ns2:Attribute> </ns1:EntityAttributes> </Extensions> @brad_tumy
  • 16.
    Brad Tumy 2013 OpenStack Identity Summit - France Questions? Thank you!!
  • 17.
    Identity Assurance Programs •  US,NSTIC •  UK, Cabinet Programme Office •  EU, STORK (https://www.eid-stork.eu/) •  There's Pan-Canadian - you can talk to Colin Walls or Ken Dagg •  UK IDAP - John Bradley has been circling in the space •  Swedish eLegitimation @brad_tumy http://www.e-legitimation.se/Elegitimation/
  • 18.
  • 19.
    All-In-One-Access Management System •  One Solutionto Protect Them All. •  One Solution to Protect Them All. •  One Solution to Protect Them All. •  Second Line •  Second Line @brad_tumy