GSA pursues single sign-on service

After several years of development, this month the General Services Administration formally published its plan to establish a decentralized identity management system that would enable secure single sign-on access for users of the government's online services.

Supporters consider the network crucial to the development of online services because it makes the user base easier to manage. As it stands now, every agency Web site requires visitors to register their user IDs and passwords to allow secure access to services.

Using a federated approach, the E-Authentication Service Component (ASC) will make it possible for one site to accept sign-on credentials registered at another site on the network.

If this catches on, potential users of government services — citizens, contractors, private businesses and other government entities — would be able to use one credential issued by a local government office or a financial institution to access any government service.

It's a big, positive step forward to solving the problem of identify management, said Bob Cook, executive chairman of Sigaba, a developer of secure messaging solutions.

The announcement doesn't necessarily break much new ground, he said, but knowing that they now have the ability to federate credentials should help move agencies forward.

"The next step will be for individual agencies to look at what is needed for this and then begin to work it into all of their secure communications," he said.

In the grand scheme of things, this is just one more step in the process, said Gerry Gebel, a senior analyst at the Burton Group, but it's a significant move. It's a public statement from GSA that, after running through a number of pilot tests to demonstrate and prove the concept of federated authentication, it does work, he said.

But he agreed with Cook that GSA's announcement alone isn't enough. "It's more than just having the technology ready," Gebel said. "Agencies still have to enable applications to take advantage of this new facility, they have to move forward on their side."

It's not only a matter of overcoming natural caution, however, because some fundamental questions are still unanswered. For example, although he was generally enthusiastic about GSA's notice and welcomed the many "good words" in the document, Brand Niemann, a computer scientist at the Environmental Protection Agency and a major proponent of Web services in government, thought it also raised questions.

In particular, he said, the document states that GSA will make the service component available through the federal enterprise architecture and that the Office of Management and Budget has designated GSA as the lead agency for the development, implementation and operation of the federal e-authentication infrastructure. Niemann said he questions whether this compound GSA/OMB management and implementation structure will be effective, and whether it will work with the federal enterprise architecture's new data reference model and the three related security and privacy, records management and geospatial data profiles.

The most immediate impact of GSA's announcement may not be felt in government but by vendors who supply the technology that will drive e-authentication.

For example, GSA already has a list of tested and certified products that agencies can purchase and integrate into their systems to be compliant with the ASC. The agency plans to add more products to the list, and that's attracting industry's attention.

Officials at Entrust, whose GetAccess product was one of the earliest approved for GSA list, think the government's e-authentication initiative is shaking industry's tree.

"For industry, this program has been a leader in the adoption of [identity] federation," said Chris Voice, vice president of technology at Entrust.

Following a technical review of GSA's e-authentication initiative last year, Dan Blum, the Burton Group's senior vice president and research director, predicted it would help increase the adoption of federated identity technology by promoting interoperability and opening new markets for products.

Other government/industry collaborations could also accelerate cross community federations, he said.

Gebel said GSA is leading industry in many ways by pushing federated identity. "It's true that there's just small pockets of vendors that are now focusing on such things as federated technology standards, but it is spreading into other areas, and there's a growing list of technologies such as [Secure Socket Layer-based virtual private networks] that are starting to support federation, as are application vendors such as SAP," he said.

Cook said he believes it will enable people to create solutions to the identity problem. "I think the [GSA announcement] as it stands is pretty complete and should help people move in the direction they want to go," he said.

Identifying an ideal solution

The General Services Administration identified the following design goals for the E-Authentication Service Component:

Standards: The architecture should rely on existing industry standards.

COTS: The architecture should use commercial products that are interoperable.

Federation: Authentication should be federated among multiple credential providers.

Durability: The architecture should be designed to allow for the evolution of technology, providing for easy migration as the industry and technology evolve.

Flexibility: The architecture should not create undue reliance on any single standard, vendor, product or integrator. Based on those requirements and design goals, the technical approach for E-Authentication is to allow for multiple identity management schemes, including identity proofing, credential technology, credential strength and credential management within a single architecture.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above