DRAGOLJUB NESIC

08/12/2013

DOES IDENTITY MANAGENT REALLY

HAVE TO BE DIFFICULT?

What will we talk about today?

• A brief introduction to me• A quick look at recent history of shared

authentication in the UK• A glance at the pressure points from the world

around us now• An overview of the PSIIF• An example scenario walkthrough• What can you do?

Lord of the tokens

EASSponsored at the time by DCSF (ContactPoint), aimed to establish a trust-framework for registration, and an authentication infrastructure based on 2FAIt also provided a shared IdP for LAs that did not want to establish their own2FA device in the hands of all public sector employees accessing central applications

What did the local authorities really want?Cost efficient CoCo complianceFreja – “One token to rule them all”

Real life

World-wide financial crisis 2008 onwardsGovernment change 2009ContactPoint was discontinuedConcerns about Government Gateway performance in conjunction with LAsA failure, or?

Positive Legacy

ContactPoint was discontinued – EAS uptake was low. But…Wider public sector agreement on trust framework agreement

Especially registration of user/reuse of credentials

Governance and assurance approach for distributed user registrationFlexible IdP implementation modelBody of best practice for LA registration

Newham & Salford

Regional hub projects kickoffPrinciples of collaboration DWP/HMRC/E&H/Police working together

Today’s challengesRemote workforce

PSN compliance is getting tougher and tougherMore workers are working remotely a greater portion of timeCO2 footprint reductionEscalating costs or not so secure solutionWhat if one could locally issue strong, 2FA for remote workers with a potentially zero-cost authentication device?

Cloud services are explodingMost with own – password based – identity systemsOften complicated directory integrationWhat if one could reuse locally issued, strong 2FA for authenticating users to such systems i.e. cloud based services with ground based authentication?

Today’s challenges, cont’dNeed to collaborate with neighbours

Shared services amongst boroughs are a real needBut who authenticates an individual?Directory federation is difficult to setup and manageWhat if one could reuse locally issued, strong 2FA across partnerships?

Increase internal efficiencyBringing new applications online is expensiveWhat if one could reuse locally issued, strong 2FA for plug-and-play integration of new applications?

Still need to access central government servicesThe applications may have changed, the basic need still remainsWhat if one could reuse locally issued, strong 2FA for accessing applications hosted by or on behalf of central government?

PSIIF – a 180 turn

Not a “top-down” approachPSIIF - Standards based infrastructure on top of PSN defining exchanges between

IdPsHubsService Providers

Allows re-use of (conformant) credentials for accessing “external” services including G-Cloud, central government or services hosted by regional partners on the PSN

Information highway needs vehicles

An infrastructure is only good if it is put to useImagine if you could decide whom and how you want to collaborate with:

Your employees to access G-Cloud services while retaining identity issued by youEmployees of regional partners to access your systems without issuing a separate authenticator to their employeesYour employees access central government servicesRequest attributes from or release attributes to parties you select

G-Cloud service example

User

G-Cloud Service

Freja IdPFreja SSP Freja

Registration &

Provisioning

Where are your from?Please authenticate this userDo I recognize the service?Convince me who you areWhat do I know about you?How much information should I/can I release to the service?Sign an assertionDo I trust the assertion issuer?OK, what can this user do here

SSO

User

Cloud Service

Freja IdPFreja SSP Freja

Click on link to service 2Please authenticate this userDo I recognize the service?Do I have a valid session?How much information should I/can I release to this service?Sign an assertionDo I trust the assertion issuer?OK, what can this user do here

Cloud Service 2

What can you do?

You get to chose whether you want to act as SP, IdP, AP or any combination thereof – no mandateA lot of software you own already supports SAML 2 integration – you can act as SP straight awayA lot of G-Cloud services already support SAML 2 (or are rapidly adapted to do so)IdP functionality can be plugged into your existing authentication infrastructure with practically no disruption

Why would you?

Standards-based, loosely coupled architecture – no vendor tie-inPotential for better services, to larger audiencesAn identity need not be established times and times againBetter control of identity, better control of data access, better control of information release (please search for TheEllenShow, “Out of your password minder” on YouTube)Easier to audit

{ENTER TEXT}