I was recently asked what steps I would take to implement the capability to accept Federated Credentials at a web site. Since that is a question I have been asked before, I figured I would document it here for future reference.
While the answer is equally applicable to the commercial sector, given that the majority of the work I do is in the US Government space, I am answering this question as if it were being asked of me by a Government Program Manager who wants to begin accepting Federated Credentials at his web site. Needless to say, this is my personal opinion.
At a high level, these are the steps:
- Conduct a web site risk assessment to determine the Level of Assurance (LOA) needs of the web site. Use OMB-O4-O4 [PDF] and FIPS 199 Risk Impact Profiles [PDF].
- Determine what credential technology strength can support the required LOA. Use NIST SP 800-63-1 [PDF]
- Determine the target audience for the web site and see what credential providers they have available to them (e.g. OpenID 2.0 IdP, SAML 2.0 IdP, PIV/PIV-I Cards etc.)
- Down-select the available credential providers to those who support the required LOA. Use the list of FICAM Trust Framework Provider (TFP) IdPs on IDManagement.gov.
- Use Credential Providers who use Protocol Profiles (of OpenID 2.0, SAML 2.0 etc.) that address Security and Privacy concerns at the needed LOA. Down-select to list of FICAM TFP Certified Credential Providers on IDManagement.gov that support FICAM Protocol Profiles at the required LOA.
- Implement support for protocol profiles at the web site using COTS, Open Source and/or custom development. Use product vendors and/or code that support the selected FICAM Protocol Profiles at the needed LOA.
(NOTE: I don't have a link to provide for you at this time, but I am aware of multiple COTS vendors who currently have support for various FICAM protocol profiles or have committed to support them in their product for release in the near future. Hopefully there will be a Government web site that provides that information soon.)
Comments, questions and suggestions for improvement are very welcome.
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.