USDA centralizes online user ID authentication
- By William Jackson
- Feb 04, 2004
In the last year, the Agriculture Department has connected 30 applications to a central authentication service that manages the online identities of USDA employees and customers alike.
The Web-based Centralized Authentication and Authorization Facility provides a common platform to verify user credentials so that each application doesn't have to duplicate the function.
'We used the approach of 'build it and they will come,' ' said Owen Unangst, USDA e-authentication project head. 'It's up to the business unit to create business processes around the Web that make sense.'
The business units using WebCAAF so far are USDA's county-based agencies'the Natural Resources Conservation Service, Farm Service Agency and Rural Development Agency.
Although the three agencies are located together at 2,500 service centers in the nation's counties and deal with many of the same customers and businesses, they have kept separate records with much duplicate information. Each app has required separate passwords and user IDs.
Under WebCAAF, the agencies' users can access any of the apps with a single sign-on and set of credentials. WebCAAF, which went into operation in June 2002, eventually will become an element of the governmentwide E-Authentication Gateway.
The core of WebCAAF is SiteMinder software from Netegrity Inc. of Waltham, Mass. SiteMinder consists of an agent on the Web host and a policy server behind a firewall. The policy server processes user ID and entitlement data.Transparent to user
'It is transparent to the user,' Unangst said. 'All the user sees is the business application that is being protected.'
The policy server matches user IDs and passwords against a Lightweight Directory Access Protocol directory. The server returns valid authentications to the app, along with data from the directory that says what those users are entitled to access and do.
The policy server is hosted at a data center at Fort Collins, Colo., with backup in St. Louis. WebCAAF operates within the four-level assurance hierarchy set out by the General Services Administration and the Office of Management and Budget.
The two highest levels of assurance, required for official business, use digital certificates; the lower two levels require only user names and passwords. WebCAAF is a Level 2 credentialing service, adequate for some official business but not requiring digital certificates.
To get Level 1 WebCAAF credentials, users enroll online, choosing their own IDs and passwords. Level 1 carries essentially no assurance of identity.
To get Level 2 credentials, users must go in person to a service center with two forms of identification.
When WebCAAF becomes part of the E-Authentication Gateway, its credentials will be acceptable to other federal apps requiring those security levels. WebCAAF could also accept level 2, 3 and 4 credentials from other agencies.
'We have issued credentials to 6,000 customers and 50,000 employees,' Unangst said. The number of users reflects the applications supported by WebCAAF.
'You could say that after a year, 6,000 customers is not very many, and this is true,' he said. 'It has taken some time to get the infrastructure geared up.'
The volume of use varies widely depending on the app. Not surprisingly, USDA employees are the most frequent users, making 160,000 log-ins to a time and attendance application every two weeks.Business users
Service providers'agribusinesses and individuals who supply conservation measures to farmers'are a small but frequent subset of users, accounting for several thousand log-ins each week.
Individual farmers who log in for information or to submit applications are a small part of WebCAAF's traffic.
'Although this may be seen as a slow start, applications coming online in the coming months will continue the growth,' Unangst said.
USDA's e-authentication project staff works with the department's 18 agencies to integrate their apps. Up to 550 customer interactions could be required to go online under the Government Paperwork Elimination Act. Because many interactions could be part of a single application, it is unclear how many apps that represents, Unangst said.
A significant difference between the USDA platform and the E-Authentication Gateway is the double-A in WebCAAF, which stands for authentication and authorization. Those are separate processes.
Authentication means verification of ID credentials'making sure users are who they say they are. Authorization means matching an ID against access privileges. WebCAAF performs both functions, whereas the E-Authentication Gateway does only authentication and leaves authorization up to individual apps.
No consensus exists about whether authorization should be centralized or distributed, said Pete Morrison, vice president of public-sector business for Netegrity, whose software is part of both WebCAAF and the gateway.
'There is no clear-cut distinction,' Morrison said. 'It is a policy issue.'
The key to making online government work is to keep an eye on the big picture, Unangst said.
'When an agency wants to deliver a product or a service electronically, realize that a whole infrastructure is needed,' Unangst said. 'You can't let the IT folks build the service and feel it's done. It's going to take everybody's effort to make it a success,' from application owners to IT shops, help desks and authentication services.
William Jackson is freelance writer and the author of the CyberEye blog.