Justice pursues flexible identity management

Federated system could allow access to specific systems across organizations

The Justice Department is piloting a federated identity management system to tackle the problem of how to give thousands of potential users, spread across multiple organizations, selective access to its critical systems.

Such a system could be used to verify government online identities across different agencies, said Boris Shur, Justice's manager for the pilot project. 'If [the pilot] is good enough, it is our intention to establish a trusted-broker infrastructure, within at least DOJ,' said Shur, who outlined the project at the Collaborative Expedition Workshop recently in Arlington, Va.

Multiple agencies

The Law Enforcement Information Sharing Program (LEISP), run by Justice's Office of the Chief Information Officer, could offer validated user credentials to multiple applications that are being run across multiple agencies.

The primary driver for the pilot is to find ways that other federal agency employees, as well as users at state, local and tribal law enforcement agencies, can access Justice systems.

Credentialing is a multistep process. An agency must first positively identify the individual who is being credentialed. It must then list the systems that person is allowed to access. Finally, that person must be given the passwords, smart cards or other identification keys.

Because employees need to access multiple systems, sometimes across agency lines, the agencies themselves must recertify employees multiple times.

In addition, as a result of Homeland Security Presidential Directive 12, many of today's systems require multiple forms of user identification. HSPD-12 requires secure credentials for agency and contract employees (see story, Page 25.)
Credentialing each employee for each application they use is 'not a scalable model,' Shur said.

Shur said Justice is working with the FBI on new systems that will be used by potentially hundreds of thousands of state law enforcement workers. 'Federal identity management seems like the only way to do it,' he said.

Central repository

The pilot establishes a trusted broker to function as a liaison between applications and pro- viders of user credentials. The broker acts as a central repository, to which agencies submit a set of credentials for each of their employees.

When a user requests access to an application outside his or her own agency, that application can request credentials from the broker.

'Federated identity management allows a lot more accuracy and more up-to-date information about the user,' Shur said.

The LEISP system relies on open standards. It communicates credentials using public-key infrastructure, the Security Assertion Markup Language and the Web Services Federation Language.

It interacts with a number of applications as well as with a number of identity servers, such as the Sun One Identity Server and the Hewlett-Packard OpenView Select Federation.

Justice is not alone in pursuing a federated identity management system.

The General Services Administration and the Environmental Protection Agency have piloted a system called the Central Data Exchange. Like LEISP, CDE looks at ways to reuse credentials across agencies.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected