U.S. flag

An official website of the United States government, Department of Justice.

Global Federated Identity and Privilege Management

Justice Information Sharing
gonin / shutterstock.com (see reuse policy).
Description

Global Federated Identity and Privilege Management

The Global Federated Identity and Privilege Management (GFIPM) Task Team served as a Global Advisory Committee (GAC) subcommittee, supporting broad-scale electronic sharing of pertinent justice- and public safety-related information by recommending to the Bureau of Justice Assistance (BJA), through the GAC, associated information sharing standards and guidelines.  In particular, the team developed the GFIPM framework that provides the justice community and partner organizations with a standards-based approach for implementing federated identity.   

GFIPM Members


Introduction


Achieving information sharing objectives requires that partners establish wide-scale electronic trust among the caretakers of critical information and those who need and are authorized to use that information.  The information is sensitive-inappropriate sharing is just as dangerous as lack of sharing. That is where a new and rapidly maturing technology called federated identity comes in.  Federated identity allows a user's roles, rights, and privileges to be communicated securely in the justice community and, in particular, to those who hold the information required to effectively safeguard our nation.

The Global Federated Identity and Privilege Management (GFIPM) framework provides the justice community and partner organizations with a standards-based approach for implementing federated identity.  The concept of globally understood metadata across federation systems is essential to GFIPM interoperability.  Just as a common Extensible Markup Language (XML) data model was the key to data interoperability, a standard set of XML elements and attributes about a federation user's identities, privileges, and authentication can be universally communicated.  The GFIPM metadata and framework support the following three major interoperability areas of security in the federation:

  • Identification/Authentication - Who is the end user and how were they authenticated?
  • Privilege Management - What certifications, clearances, job functions, local privileges, and organizational affiliations are associated with the end user that can serve as the basis for authorization decisions?
  • Audit - What information is needed or required for the purposes of auditing systems, systems access and use, and legal compliance of data practices?

The GFIPM Metadata specification was used in a limited pilot capacity. Lessons learned and feedback from this pilot were incorporated into the public release of the GFIPM Metadata specification.

Building a Federation for Secure and Trusted Information Sharing


''Federation'' is a fundamental concept in this framework.  The federation provides a standardized means for allowing agencies to directly provide services for trusted users that they do not directly manage.  A federation is defined as a ''group of two or more trusted partners with business and technical agreements that allow a user from one federation partner (participating agency A) to seamlessly access information resources from another federation partner (participating agency B) in a secure and trustworthy manner.''  Major organizational participants in a federation vet and maintain information on the users they manage, and each federation partner retains control over the business rules for granting access to the sensitive information it owns.  The federation partners establish the electronic trust needed to securely access information by sending standards-based electronic credentials to federation partner information service(s).  The federation partner information service(s) evaluate the trusted electronic credential to determine whether to grant or deny access to the requested service or information.

A similar business model exists in passport processing.  A federation of governmental agencies has agreed to vet and maintain information on its citizens as a prerequisite for issuing a passport.  Border agents will grant or deny access to enter or leave the country based on evaluation of a passport-a trusted credential issued by a federation partner asserting identity and citizenship of a particular country.  The country (federation partner) providing the service to enter or exit the country applies its own business rules based on the passport information and other attributes known at the time of the request.

GFIPM Components


GFIPM uses a standardized XML credential as the key part of federated identity to be used by members and partners of the justice community.  Using the GFIPM credential will allow information to be shared in a new way-with reduced management burden and improved security and on a broader scale. It represents a strategic change and dramatic improvement in the way justice organizations establish the electronic trust needed to share information.

At the highest level of concept within the GFIPM model, there are three vital components that must interact between users of multiple systems:

  • Identity Provider (IDP)
  • Service Provider (SP)
  • User Credential Assertions (Metadata)

Within a federation, organizations play one or both of two roles: identity provider and/or service provider.  The identity provider is the authoritative entity responsible for authenticating an end user and asserting an identity for that user in a trusted fashion to trusted partners. The identity provider is responsible for account creation, provisioning, password management, and general account management.  This may be achieved with existing locally accepted security mechanisms and tools.

Federation partners who offer services or share resources are known as service providers. The service provider relies on the identity provider to assert information about a user via an electronic user credential, leaving the service provider to manage access control and dissemination based on a trusted set of user credential assertions.  As mentioned above, an organization that is a service provider can also be an identity provider.

Global Advisory Committee Recommendation


Over time, federated identity deployments have grown, matured, and expanded in depth and breadth across multiple industries.  As the standards have matured, more organizations are becoming aware of the compelling business case for building federated communities. As such, a critical objective of GFIPM is to ensure compatibility through collaboration with other key ongoing projects that cross domain boundaries, such as the National Information Exchange Model, the Office of the Director of National Intelligence, and the Law Enforcement Information Sharing Program.

Federated identity promotes secure nationwide information sharing.  To this end, the Global Advisory Committee made the following recommendations on behalf of Global:

  • Recognize GFIPM as the recommended approach for development of interoperable security functions for authentication and privilege management for information exchange among cross-domain justice information sharing systems,
  • Adopt the GFIPM: A Global Concept Activities and Progress Report as a recommended resource for next steps and activities to further the utility of GFIPM for the justice community, and
  • Urge the members of the justice community to consider GFIPM as a potential building block to a layered security solution when authenticating uses among cross-domain organizations.
     

Contact Us


For more information about Global efforts, please use the Contact Us form.