Brad Tumy 2013 Open Stack Identity Summit - France

Tell me WHO are YOU? … ‘Cause I really want to know

@brad_tumy

Agenda

•  Identity Assurance

•  Identity Assurance Frameworks

•  Implementation Requirements

•  Typical Architecture Model

@brad_tumy

Who am I? •  @brad_tumy

•  http://www.linkedin.com/in/bradtumy •  Identity & Access Management Consultant •  18 Years of InfoSec (Development & Sys Integration) •  Experience:

•  Technical Engineer on Dept. of Veteran’s Affairs E-Auth Project

•  Tech Engineer on Dept. of Energy FICAM Project

•  Tech Engineer on General Service Admin (GSA) FICAM Project

•  Tech SME on Dept. of Labor FICAM Project

Brad Tumy 2013 Open Stack Identity Summit - France

So … WHO are YOU?

Brad Tumy 2013 Open Stack Identity Summit - France

Identity Assurance

@brad_tumy

Identity Assurance

Levels of Assurance

Confidence Level Examples

1 Little or no confidence Google (IDP), Facebook (IDP)

2 Some confidence Corporate username and password

3 High confidence 2FA (Smart card, OTP, etc)

4 Very High Confidence Smart Card (but requires in-person identity proofing)

“… the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.”

Brad Tumy 2013 Open Stack Identity Summit - France

Identity Assurance Frameworks

@brad_tumy

A few major Identity Assurance Frameworks

InCommon NSTIC / FICAM

STORK IDAP Pan-Canadian

Swedish eLegitimation

Australian Access Federation (AAF)

National Electronic Authentication Framework

Kantara

@brad_tumy

Identity Assurance Framework Principles

Identity Assurance Principle Control afforded to a user 1. User Control Identity assurance activities can only take place by

user consent

2. Transparency Identity assurance can only take place in ways user understands and when fully informed

3. Multiplicity User can choose as many different identifiers or identity providers as desired

4. Data Minimization Request or transaction uses minimum identity data as necessary

5. Data Quality User chooses when to update records.

6. Service-User Access and Portability User has to be provided copies of user’s data on request; user can move data whenever they choose

7. Governance / Certification All participants in Identity Assurance System must be accredited

8. Problem Resolution Independent Arbitration

9. Exceptional Circumstances Any exceptions have to be approved by Governing body and subject to independent scrutiny

@brad_tumy

Principles / Product Mapping

Identity Assurance Principle OpenAM Configuration

1. User Control User Consent Screen in SAML Transaction

2. Transparency User Consent Screen in SAML Transaction should display attributes being shared and how it is being shared.

3. Multiplicity Identity Proxy / IDP Finder

4. Data Minimization SAML Response should only send required attributes

Brad Tumy 2013 Open Stack Identity Summit - France

Implementation Requirements

@brad_tumy

Implementation Reqs •  Identity Provider

•  Identity Proxy

•  Provide User Consent mechanisms

•  Choice of Authentication mechanisms at appropriate LOA

•  Identity Proofing

•  E.g., Adaptive Risk (e.g. Device Print)

•  SAML Response

•  Service Provider •  Choice of Credential/IDP at

appropriate LOA

•  SAML request includes LOA requirement in authentication context attribute

•  Manage access according to LOA requirements

Brad Tumy 2013 Open Stack Identity Summit - France

Typical Architecture Model

@brad_tumy

OpenAM IAF Architecture

IDPProxy

LOA1

LOA3

LOA2

LOA 4

IDP1

IDP2

IDP3

SAML Request

SAML Response

http://machinea.sp.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=machineb.idpproxy.com&NameIDFormat=transient&AuthnContextClassRef=http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1

Example SAML Request:

Supports LOA1 e.g. Google IDP

Supports LOA2

Supports LOA3/4 PKI, 2FA, ETC

@brad_tumy

Customize for Framework <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://am2.ssobridge.com:8443/openam" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <Extensions> <ns1:EntityAttributes xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"> <ns2:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3 </ns2:AttributeValue> <ns2:AttributeValue>http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4 </ns2:AttributeValue> </ns2:Attribute> </ns1:EntityAttributes> </Extensions>

Brad Tumy 2013 Open Stack Identity Summit - France

Questions? Thank you!!

@brad_tumy

Identity Assurance Programs •  US, NSTIC

•  UK, Cabinet Programme Office

•  EU, STORK (https://www.eid-stork.eu/)

•  There's Pan-Canadian - you can talk to Colin Walls or Ken Dagg

•  UK IDAP - John Bradley has been circling in the space

•  Swedish eLegitimation - http://www.e-legitimation.se/Elegitimation/Templates/StartPage.aspx - you can talk to Leif Johanssen

@brad_tumy

ForgeRock Powerpoint Preso Template Secondary Line of Copy

@brad_tumy

All-In-One-Access Management System •  One Solution to Protect Them All.

•  One Solution to Protect Them All.

•  One Solution to Protect Them All. •  Second Line •  Second Line