GSA pursues single sign-on service

After several years of development, this month the General Services Administration formally published its plan to establish a decentralized identity management system that would enable secure single sign-on access for users of the government's online services.

Supporters consider the network crucial to the development of online services because it makes the user base easier to manage. As it stands now, every agency Web site requires visitors to register their user IDs and passwords to allow secure access to services.

Using a federated approach, the E-Authentication Service Component (ASC) will make it possible for one site to accept sign-on credentials registered at another site on the network.

If this catches on, potential users of government services — citizens, contractors, private businesses and other government entities — would be able to use one credential issued by a local government office or a financial institution to access any government service.

It's a big, positive step forward to solving the problem of identify management, said Bob Cook, executive chairman of Sigaba, a developer of secure messaging solutions.

The announcement doesn't necessarily break much new ground, he said, but knowing that they now have the ability to federate credentials should help move agencies forward.

"The next step will be for individual agencies to look at what is needed for this and then begin to work it into all of their secure communications," he said.

In the grand scheme of things, this is just one more step in the process, said Gerry Gebel, a senior analyst at the Burton Group, but it's a significant move. It's a public statement from GSA that, after running through a number of pilot tests to demonstrate and prove the concept of federated authentication, it does work, he said.

But he agreed with Cook that GSA's announcement alone isn't enough. "It's more than just having the technology ready," Gebel said. "Agencies still have to enable applications to take advantage of this new facility, they have to move forward on their side."

It's not only a matter of overcoming natural caution, however, because some fundamental questions are still unanswered. For example, although he was generally enthusiastic about GSA's notice and welcomed the many "good words" in the document, Brand Niemann, a computer scientist at the Environmental Protection Agency and a major proponent of Web services in government, thought it also raised questions.

In particular, he said, the document states that GSA will make the service component available through the federal enterprise architecture and that the Office of Management and Budget has designated GSA as the lead agency for the development, implementation and operation of the federal e-authentication infrastructure. Niemann said he questions whether this compound GSA/OMB management and implementation structure will be effective, and whether it will work with the federal enterprise architecture's new data reference model and the three related security and privacy, records management and geospatial data profiles.

The most immediate impact of GSA's announcement may not be felt in government but by vendors who supply the technology that will drive e-authentication.

For example, GSA already has a list of tested and certified products that agencies can purchase and integrate into their systems to be compliant with the ASC. The agency plans to add more products to the list, and that's attracting industry's attention.

Officials at Entrust, whose GetAccess product was one of the earliest approved for GSA list, think the government's e-authentication initiative is shaking industry's tree.

"For industry, this program has been a leader in the adoption of [identity] federation," said Chris Voice, vice president of technology at Entrust.

Following a technical review of GSA's e-authentication initiative last year, Dan Blum, the Burton Group's senior vice president and research director, predicted it would help increase the adoption of federated identity technology by promoting interoperability and opening new markets for products.

Other government/industry collaborations could also accelerate cross community federations, he said.

Gebel said GSA is leading industry in many ways by pushing federated identity. "It's true that there's just small pockets of vendors that are now focusing on such things as federated technology standards, but it is spreading into other areas, and there's a growing list of technologies such as [Secure Socket Layer-based virtual private networks] that are starting to support federation, as are application vendors such as SAP," he said.

Cook said he believes it will enable people to create solutions to the identity problem. "I think the [GSA announcement] as it stands is pretty complete and should help people move in the direction they want to go," he said.

Identifying an ideal solution

The General Services Administration identified the following design goals for the E-Authentication Service Component:

Standards: The architecture should rely on existing industry standards.

COTS: The architecture should use commercial products that are interoperable.

Federation: Authentication should be federated among multiple credential providers.

Durability: The architecture should be designed to allow for the evolution of technology, providing for easy migration as the industry and technology evolve.

Flexibility: The architecture should not create undue reliance on any single standard, vendor, product or integrator. Based on those requirements and design goals, the technical approach for E-Authentication is to allow for multiple identity management schemes, including identity proofing, credential technology, credential strength and credential management within a single architecture.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.