|
|
|
|
|
|
Lower Assurance Approach |
|
Overview |
|
Management |
|
SAML as an adopted Scheme |
|
Higher Assurance Approach |
|
Overview |
|
Certificate Validation |
|
Relationship to Bridge Architecture |
|
Where we are today |
|
Today |
|
Near Term |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SAML 1.0 Artifact Profile |
|
Proven interoperability |
|
|
|
|
|
|
|
|
|
|
|
SAML Assertion Contents |
|
Name |
|
User ID |
|
CS ID |
|
AA Responsabilities |
|
Authorization / Entitlements |
|
Mapping asserted identity to known identity |
|
May map multiple credentials to a known identity |
|
CS Responsabilities |
|
Identity Management |
|
Credential Assessment Framework (CAF)
requirements |
|
|
|
|
|
|
|
Certificate Based Authentication |
|
“All sensitive data transfers shall be
cryptographically authenticated using keys bound to the authentication
process” NIST SP800-63 |
|
Does not require shared secrets |
|
Certificate Path Discovery and Validation |
|
Certificates at lower assurance AAs |
|
|
|
|
|
|
|
|
|
|
|
Certificate Validation is not enough |
|
Certificate Path Discovery and Validation |
|
|
|
|
|
Public & Private Key Pair |
|
Mathematically bound numbers |
|
Encrypt with one, Decrypt with the other |
|
Digital Signatures |
|
Hashes encrypted with a private key |
|
Validate source and integrity |
|
Certificate Authorities (CAs) and Certificates |
|
Certificates bind a public key to an identity |
|
CAs issue certificates based on their policies |
|
Certificates are digitally signed by CAs |
|
Trust Anchors |
|
A CAs self-signed certificate |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Certificate Usability at lower assurance AAs |
|
Avoid multiple interfaces at AAs |
|
Avoid PKI complexities at lower assurance AAs |
|
|
|
|
|
|
Relation to Federal PKI Architecture |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Proof of Concept |
|
SAML 1.0 Artifact Profile |
|
Interoperability Lab |
|
Architecture Working Group |
|
Pilots |
|
|
|
|
|
eAuthentication Documents |
|
http://www.cio.gov/eauthentication |
|
|
|
NIST Documents |
|
http://csrc.nist.gov/pki/testing/x509paths.html |
|
http://csrc.nist.gov/publications/drafts.html |
|
|
|
|
|
|
FOC |
|
Forms |
|
Web Services |
|
Composite Apps |
|
New Schemes |
|
Notes
