Global Federated Identity and Privilege Management
|
Introduction
Achieving information sharing objectives requires that partners establish wide-scale electronic trust among the caretakers of critical information and those who need and are authorized to use that information. The information is sensitive-inappropriate sharing is just as dangerous as lack of sharing. That is where a new and rapidly maturing technology called federated identity comes in. Federated identity allows a user's roles, rights, and privileges to be communicated securely in the justice community and, in particular, to those who hold the information required to effectively safeguard our nation.
The Global Federated Identity and Privilege Management (GFIPM) framework provides the justice community and partner organizations with a standards-based approach for implementing federated identity. The concept of globally understood metadata across federation systems is essential to GFIPM interoperability. Just as a common Extensible Markup Language (XML) data model was the key to data interoperability, a standard set of XML elements and attributes about a federation user's identities, privileges, and authentication can be universally communicated. The GFIPM metadata and framework support the following three major interoperability areas of security in the federation:
- Identification/Authentication - Who is the end user and how were they authenticated?
- Privilege Management - What certifications, clearances, job functions, local privileges, and organizational affiliations are associated with the end user that can serve as the basis for authorization decisions?
- Audit - What information is needed or required for the purposes of auditing systems, systems access and use, and legal compliance of data practices?
The GFIPM Metadata specification is being used in a limited pilot capacity today. Lessons learned and feedback from this pilot were incorporated into the public release of the GFIPM Metadata specification.
Building a Federation for Secure and Trusted Information Sharing
''Federation'' is a fundamental concept in this framework. The federation provides a standardized means for allowing agencies to directly provide services for trusted users that they do not directly manage. A federation is defined as a ''group of two or more trusted partners with business and technical agreements that allow a user from one federation partner (participating agency A) to seamlessly access information resources from another federation partner (participating agency B) in a secure and trustworthy manner.'' Major organizational participants in a federation vet and maintain information on the users they manage, and each federation partner retains control over the business rules for granting access to the sensitive information it owns. The federation partners establish the electronic trust needed to securely access information by sending standards-based electronic credentials to federation partner information service(s). The federation partner information service(s) evaluate the trusted electronic credential to determine whether to grant or deny access to the requested service or information.
A similar business model exists in passport processing. A federation of governmental agencies has agreed to vet and maintain information on its citizens as a prerequisite for issuing a passport. Border agents will grant or deny access to enter or leave the country based on evaluation of a passport-a trusted credential issued by a federation partner asserting identity and citizenship of a particular country. The country (federation partner) providing the service to enter or exit the country applies its own business rules based on the passport information and other attributes known at the time of the request.
GFIPM Components
GFIPM uses a standardized XML credential as the key part of federated identity to be used by members and partners of the justice community. Using the GFIPM credential will allow information to be shared in a new way-with reduced management burden and improved security and on a broader scale. It represents a strategic change and dramatic improvement in the way justice organizations establish the electronic trust needed to share information.
At the highest level of concept within the GFIPM model, there are three vital components that must interact between users of multiple systems:
- Identity Provider (IDP)
- Service Provider (SP)
- User Credential Assertions (Metadata)
Within a federation, organizations play one or both of two roles: identity provider and/or service provider. The identity provider is the authoritative entity responsible for authenticating an end user and asserting an identity for that user in a trusted fashion to trusted partners. The identity provider is responsible for account creation, provisioning, password management, and general account management. This may be achieved with existing locally accepted security mechanisms and tools.
Federation partners who offer services or share resources are known as service providers. The service provider relies on the identity provider to assert information about a user via an electronic user credential, leaving the service provider to manage access control and dissemination based on a trusted set of user credential assertions. As mentioned above, an organization that is a service provider can also be an identity provider.
Global Advisory Committee Recommendation
In the past three to four years, federated identity deployments have grown, matured, and expanded in depth and breadth across multiple industries. As the standards have matured, more organizations are becoming aware of the compelling business case for building federated communities. As such, a critical objective of the Global Standards Council (GSC) for GFIPM is to ensure compatibility by collaborating with other key ongoing projects that cross domain boundaries, such as the National Information Exchange Model, the Office of the Director of National Intelligence, and the Law Enforcement Information Sharing Program.
Federated identity is part of the GSC's vision for promoting secure nationwide information sharing. To this end, the Global Advisory Committee has made the following recommendations on behalf of Global:
- Recognize GFIPM as the recommended approach for development of interoperable security functions for authentication and privilege management for information exchange among cross-domain justice information sharing systems,
- Adopt the GFIPM: A Global Concept Activities and Progress Report as a recommended resource for next steps and activities to further the utility of GFIPM for the justice community, and
- Urge the members of the justice community to consider GFIPM as a potential building block to a layered security solution when authenticating uses among cross-domain organizations.
GFIPM Participants
The GFIPM initiative is supported through the Office of Justice Programs, Bureau of Justice Assistance (BJA); National Institute of Justice (NIJ); and the U.S. Department of Homeland Security (DHS). The GSC provides oversight for this initiative. The GFIPM Delivery Team is chaired by Mr. John Ruegg, Los Angeles County Information Systems Advisory Body. The GFIPM specifications have evolved through a collaborative effort of BJA, NIJ, DHS, and major contributors, including the Criminal Information Sharing Alliance network, Regional Information Sharing Systems network, Pennsylvania Justice Network, and Los Angeles County Information Systems Advisory Body. John Wandelt, Georgia Tech Research Institute, is the GFIPM Project Manager.
Contact Us
For more information about Global efforts, including the GFIPM initiative and corresponding deliverables, please use the Contact Us form.
The artifacts listed below are specific standards associated with GFIPM. To view a complete listing of all Global information sharing standards, please follow this link to the Global Standards Package.
|
GFIPM Federation Organizational Guidelines
|
The GFIPM Membership Documents package is a set of template documents and forms that a GFIPM federation can adopt for its use in support of its governance process. The purpose of each document in this package is described in the GFIPM Operational Policies and Procedures Guideline.
File: GFIPM Membership Docs.zip
(278.5 KB)
Submitted: 7/12/2012 11:39 AM
|
The GFIPM Governance Guideline document defines the governance structure for a GFIPM federation, including the parties that play a role in the governance structure (e.g. Board of Directors, Federation Management, Identity Providers, Service Providers, Trusted Identity Brokers, etc.) and the decisions to be made by each party.
File: GFIPM Governance Guidelines 1.1.doc
(5.92 MB)
Submitted: 7/12/2012 11:25 AM
|
The GFIPM Operational Policies and Procedures Guideline document describes the operational policies and procedures that govern the basic operation of a federation for trusted information sharing, including federation membership, change management for federation standards, help desk policies, etc. It also contains some normative language related to operational protocol between parties in the federation.
File: GFIPM Operational Policies and Procedures 1.1.doc
(5.4 MB)
Submitted: 8/10/2012 11:07 AM
|
GFIPM Core Technical Standards and Guidelines
|
The GFIPM Federation Name Registration Process Document describes the process by which the content of the GFIPM Federation Name Registry ( http://gfipm.net/fed-registry.html) is managed.
File: GFIPM Federation Name Registration Process.pdf
(2.38 MB)
Submitted: 7/12/2012 11:18 AM
|
The GFIPM Federation Member Certificate Policy (CP) Template provides a template and authoring guidance to any GFIPM federation on how to write its own Member CP, which is a set of rules that indicates the applicability of certain Public Key Infrastructure (PKI) certificates to a particular community and/or class of application with common security requirements.
File: GFIPM Member Certificate Policy Template.docx
(5.12 MB)
Submitted: 7/12/2012 11:27 AM
|
The GFIPM Metadata 2.0 specification defines common syntax and semantics for metadata describing users, entities (trusted software service endpoints), resources (sensitive data objects, databases, documents, etc.), actions (attempts by users or entities to access resources), and the data-sharing environment in which actions occur. This metadata can be used in support of identification, authentication, privilege management, auditing, and personalization across a federation.
File: gfipm-metadata-2.0-final.zip
(2.4 MB)
Submitted: 2/6/2012 4:39 PM
|
The GFIPM Cryptographic Trust Model defines a normative schema for a GFIPM Cryptographic Trust Fabric, which is document shared among all members of a GFIPM federation. A GFIPM Cryptographic Trust Fabric document contains public key material and system entity metadata for each trusted endpoint in the federation. The spec also defines a set of processes by which the GFIPM Cryptographic Trust Fabric document is created, distributed, and updated based on changes in federation membership. In addition, it defines a normative set of rules that all federation members must follow during inter-organizational transactions to ensure that all transactions properly utilize the cryptographic trust fabric. The standard incorporates normative standards from SAML 2.0 and the GFIPM Metadata 2.0 spec.
File: GFIPM Cryptographic Trust Model 2.0.pdf
(3.04 MB)
Submitted: 8/10/2012 11:06 AM
|
The GFIPM Federation Certification Practice Statement (CPS) Template provides a non-normative CPS template and CPS authoring guidance to the certificate authority (CA) within any GFIPM federation. It contains recommendations that the CA can follow when writing its own CPS. This CPS template is based on IETF RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.
File: GFIPM Federation Certification Practice Statement Template 1 0 Final.pdf
(628.8 KB)
Submitted: 4/18/2012 8:37 AM
|
GFIPM Communication Profiles
|
The GFIPM Web Services System-to-System Profile is a normative specification that defines a complete, composable SOAP Web Services protocol stack for basic system-to-system GFIPM use cases.
File: GFIPM Web Services System-to-System Profile 1.0.pdf
(3.21 MB)
Submitted: 7/12/2012 11:34 AM
|
The GFIPM Web User-to-System Profile is a normative specification that defines a set of protocols and bindings for web browser-based interaction between users and resources across trust domains within a federation. It leverages parts of the SAML 2.0 specification, specifically Web Single Sign-On (SSO) and Single Log-Out (SLO). It also leverages the GFIPM Core Technical Standards and Guidelines.
File: GFIPM Web Browser User-to-System Profile 1.2.pdf
(3.05 MB)
Submitted: 8/10/2012 11:09 AM
|
GFIPM Technical Assistance Resources
|
The purpose of this document is to provide a step-by-step guide to help decision makers select the federated identity solution that best suits their needs. The document will guide the reader through the steps necessary to select the most appropriate federation security solution.
File: GFIPM Federations Join or Build.pdf
(1.01 MB)
Submitted: 7/12/2012 11:23 AM
|
The GFIPM Trusted Identity Broker (TIB) Onboarding Guide describes the concept of inter-federation information sharing within the GFIPM paradigm, via the use of a TIB.
File: GFIPM Trusted Identity Broker Onboarding Guide 1.0.pdf
(2.54 MB)
Submitted: 7/12/2012 11:31 AM
|
The GFIPM Implementation Guide contains detailed instructions for implementers of identity providers (IDPs) and service providers (SPs), which are the two types of systems that participate in user-to-system transactions as specified in the GFIPM Web Browser User-to-System profile. The document covers all aspects of IDP and SP implementation, from requirements analysis to system deployment.
File: GFIPM Implementation Guide 1 0 Final.pdf
(1.15 MB)
Submitted: 4/18/2012 8:39 AM
|
GFIPM Outreach and Marketing Resources
|
This document provides a high-level executive overview of basic Federated Identity and Privilege Management (FIPM) concepts and also introduces the Global Federated Identity and Privilege Management (GFIPM) concept of information sharing based on FIPM. It also discusses the GFIPM value proposition and provides additional resources for those interested in learning more. Its primary audience is executive management desiring to understand the GFIPM's value proposition within the justice information sharing environment.
File: GFIPM Overview.pdf
(2.57 MB)
Submitted: 7/12/2012 11:28 AM
|
The GFIPM Document Map provides an overview of the GFIPM documents that have been developed or are currently in development for the benefit of GFIPM program stakeholders. It contains a brief description of every major GFIPM document, including the purpose and content of the document as well as its relationship to other GFIPM documents. It also contains descriptions of other noteworthy GFIPM deliverables, including various Web-based resources that play an important role in the delivery of critical information to GFIPM stakeholders.
File: GFIPM Document Map 1 0 Final.pdf
(1.53 MB)
Submitted: 3/8/2012 4:39 PM
|
The GFIPM Terminology Matrix provides a terminology and concept map between GFIPM and other prominent paradigms in the areas of identity management, privilege management, and service-oriented architecture. Its purpose is to help GFIPM stakeholders better understand the various technical terms used in GFIPM by mapping each GFIPM term to the corresponding terms from other technologies.
File: GFIPM Terminology Matrix 1.0.1.pdf
(3.02 MB)
Submitted: 8/10/2012 11:08 AM
|
The GFIPM Web Services Concept of Operations ("CONOPS") is a non-normative document that defines functional requirements and logical federated service interaction models for Web services transactions in a GFIPM federation. It was developed as a starting point for the normative GFIPM Web Services System-to-System Profile.
File: GFIPM Web Services CONOPS 1 0 Final.pdf
(1.57 MB)
Submitted: 4/18/2012 8:42 AM
|
Additional GFIPM Information
|
|
|
This executive summary provides a high-level overview for justice organizations that are looking for ways to provide secured access to information while enabling wide scaled information sharing over the Internet. This resource details the GFIPM framework which provides mechanisms and tools for implementing a standards-based justice credential.
File: GFIPM_flyer.pdf
(317.6 KB)
Submitted: 4/18/2012 4:48 PM
|
This project report was submitted by The Georgia Tech Research Institute (GTRI) to describe the background, activities, and lessons learned from the GFIPM Demonstration Project.
Submitted: 9/25/2008 12:20 PM
|
This PowerPoint presentation was submitted by the Georgia Tech Research Institute (GTRI) to provide an introduction and status of the GFIPM project. These slides were delivered during the Chicago Users' Conference on August 21, 2007.
File: GFIPM_Overview_and_Status-Aug-07-final_export[1].pdf
(11.77 MB)
Submitted: 4/18/2012 4:49 PM
|
Submitted: 9/25/2008 12:20 PM
|
IMPORTANT NOTE: Version 1.0 of this GFIPM Metadata Specification is no longer supported. Please use/refer to GFIPM Metadata Specification Version 2.0 (posted / linked above). We are leaving Version 1.0 on this site for historical reference purposes only and do not plan on supplementing any new GFIPM metadata elements in Version 1.0.
Submitted: 11/9/2010 4:29 PM
|