Justice pursues flexible identity management
Federated system could allow access to specific systems across organizations
The Justice Department is piloting a federated identity management system to tackle the problem of how to give thousands of potential users, spread across multiple organizations, selective access to its critical systems.
Such a system could be used to verify government online identities across different agencies, said Boris Shur, Justice's manager for the pilot project. 'If [the pilot] is good enough, it is our intention to establish a trusted-broker infrastructure, within at least DOJ,' said Shur, who outlined the project at the Collaborative Expedition Workshop recently in Arlington, Va.Multiple agencies
The Law Enforcement Information Sharing Program (LEISP), run by Justice's Office of the Chief Information Officer, could offer validated user credentials to multiple applications that are being run across multiple agencies.
The primary driver for the pilot is to find ways that other federal agency employees, as well as users at state, local and tribal law enforcement agencies, can access Justice systems.
Credentialing is a multistep process. An agency must first positively identify the individual who is being credentialed. It must then list the systems that person is allowed to access. Finally, that person must be given the passwords, smart cards or other identification keys.
Because employees need to access multiple systems, sometimes across agency lines, the agencies themselves must recertify employees multiple times.
In addition, as a result of Homeland Security Presidential Directive 12, many of today's systems require multiple forms of user identification. HSPD-12 requires secure credentials for agency and contract employees (see story, Page 25.)
Credentialing each employee for each application they use is 'not a scalable model,' Shur said.
Shur said Justice is working with the FBI on new systems that will be used by potentially hundreds of thousands of state law enforcement workers. 'Federal identity management seems like the only way to do it,' he said.Central repository
The pilot establishes a trusted broker to function as a liaison between applications and pro- viders of user credentials. The broker acts as a central repository, to which agencies submit a set of credentials for each of their employees.
When a user requests access to an application outside his or her own agency, that application can request credentials from the broker.
'Federated identity management allows a lot more accuracy and more up-to-date information about the user,' Shur said.
The LEISP system relies on open standards. It communicates credentials using public-key infrastructure, the Security Assertion Markup Language and the Web Services Federation Language.
It interacts with a number of applications as well as with a number of identity servers, such as the Sun One Identity Server and the Hewlett-Packard OpenView Select Federation.
Justice is not alone in pursuing a federated identity management system.
The General Services Administration and the Environmental Protection Agency have piloted a system called the Central Data Exchange. Like LEISP, CDE looks at ways to reuse credentials across agencies.