Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | oliver-walsh |
View: | 214 times |
Download: | 0 times |
Global Federated Identity &Privilege Management
GFIPMJohn Ruegg, Director
LA County ISAB
United StatesDepartment of Justice
What is Federated Identity Management?What is Federated Identity Management?
• You trust another organization to Identify their users and Authenticate them before they can connect to your System. A Trusted Identity Provider (IDP)
• Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. (relying Service Provider (SP)
• IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Federation.
FBI CJIS Systems - A Federated Identity FBI CJIS Systems - A Federated Identity Management Model Management Model • FBI trusts your organization to Identify your users and
Authenticate them before they can connect to the CJIS Systems. The Trusted Identity Provider (IDP) is{CJIS Control Terminal Officer CTO}
• FBI {CJIS Systems} relies on the Identity Information provided from your {CTO} IDP to make access and authorization decisions. (relying Service Provider (SP)
• IDP’s and SP’s have mutual technical and policy obligations in the Federation. {CJIS Policy}
Benefits of Federated Identity ManagementBenefits of Federated Identity Management
• Local Organization provides Identity Management System (IDP) using local authentication methods
• Many Commercial products have adopted Federated Identity open standards which GFIPM is utilizing
• Identity information is communicated over the network via a standard GFIPM justice identity credential
Benefits of Federated Identity ManagementBenefits of Federated Identity Management
• Eliminate multiple userid/passwords and security tokens
• Only grant access to your system for users who authenticate first to a trusted Identity Provider (IDP)
• GFIPM enabled systems always get current identity information via the GFIPM justice identity credential – no requirement to manually register/maintain users
• Changes in user status (job role, retire, etc) only needs to be updated once at the local IDP system
7
InternetInternet
One DOJ
One DOJ
Fusion Center A
Fusion Center A
HSINHSIN
RISSRISS
AuthID
AuthID
AuthID
GFIPM FederationGFIPM Federation
(Single Sign-on SSO)(Single Sign-on SSO)
AuthID
8
Audittrail
Environmentalconditions
Written policy
Obligations
Actions: release, modify, access, delete, …
Response
message
Content metadata
Electronic policy
statements (dynamic, federated)
PEP
PDP
Request
message
GFIPMcredentials
PEP: Policy Enforcement PointPDP: Policy Decision Point
Security & Privacy Policy Enforcement
Early Adopters of GFIPMEarly Adopters of GFIPMLive in Production • RISSnet – Intelligence • Pennsylvania JNET- criminal justice information • CisaNet – Southwestern States Intelligence
Under Development • LA County – local Criminal History• San Diego County – ARJIS criminal justice information• Southern Shield – 14 States Fusion Centers• Connect Project – 8 States portals and federated query services • OneDOJ – Access to Federal Information Resources• OneDHS – Access to DHS resources
Benefit of Open Standards Adoption • RSA Conference, April 6, 2008 – 7 Vendors Products
Interoperability Demonstration
• "We're pleased to work with OASIS on addressing the very sensitive issues related to the access of patient information," said John (Mike) Davis, standards architect with the VHA Office of Information in the Department of Veterans Affairs, and a member of the HITSP Security, Privacy and Infrastructure Technical Committee. "XACML helps ensure that patients, physicians, hospitals, public health agencies and other authorized users share critical information appropriately and securely."