Solution Overview

For customers that require a stronger level of authentication, such as multi-factor with the use of a certificate-based, PIV card, OnCloud has built-in capability to support this increasingly common use case. A Personal Identity Verification (PIV) card is a United States federal smart card that contains necessary data for the cardholder to be granted access to federal facilities and assure appropriate levels of security for all applicable federal applications – the Department of Defense (DoD) equivalent to a PIV card is known as a Common Access Card (CAC). Due to the recent OPM security breach, this is becoming a more common use case because of the new mandatory requirement that many federal agencies that hold sensitive data on their applications will need to strengthen their levels of authentication.

This technote will address how you can meet this mandatory compliance requirement with OnWire’s comprehensive Identity and Access Management (IAM) Platform – OnCloud®. OnCloud follows FedRAMP standards, has a presence in SoftLayer FedRAMP-compliant datacenters, and utilizes IBM’s market-leading IAM technology, which includes the following products:

      • IBM Security Access Manager (ISAM): ISAM combines user access management and web application protection into a highly scalable user authentication, authorization, and web Single Sign-On (SSO) solution. ISAM safeguards user access to online application and helps protect them against advanced web threats.
      • IBM Security Federated Identity Manager (TFIM): TFIM provides web and federated Single Sign-On (SSO) to users throughout multiple applications. TFIM uses federated SSO for security-rich information sharing for private, public, and hybrid cloud deployments.
      • IBM Security Identity Manager (ISIM): ISIM enables organizations to drive effective identity management and governance across the enterprise. ISIM helps strengthen regulatory compliance and security by reducing the risk of identity fraud, automates the creation, modification, recertification, and termination of user privileges, and supports policy-based password management throughout the user lifecycle.

In this technote, we’ll discuss how OnCloud provides a solution to a common PIV use case. First, let’s outline the basics. For instance, let’s assume a customer who has a Software-as-a-Service (SaaS) or external web application would like to enable multi-factor, PIV authentication. This SaaS application requires the following additional user attributes:

      • First Name / Last Name
      • Email Address / Groups
      • Organizational Department
      • Telephone Number

As you know, there is very limited user data on an actual PIV card – you’re usually limited to using the user’s email address or Distinguished Name (DN), which is not typically sufficient to authenticate and identify a user. What makes OnCloud comprehensive is its ability to enhance the user’s credential with additional attributes that aren’t stored on the PIV card certificate. Included below is an example scenario flow.

 

Example Scenario

A user first logs into the OnCloud portal and is presented with an option for “PIV Authentication”. The user has a PIV card reader attached to their workstation that provides their PIV certificate to their browser. Upon selecting multi-factor, PIV authentication on the OnCloud Portal, the user’s certificate is presented to OnCloud – where it will be verified and the attributes will be enhanced – allowing the user to be federated to external applications utilizing the newly formed credential. The external application will then ingest the enhanced credential and use it to make the required decisions.

To give more background on the specifics of this scenario, let’s take a closer look at how the individual IBM Security products interact to provide this capability. First, ISAM provides seamless integration for certificate validation at the reverse-proxy level – this allows for PIV-enabled authentication. TFIM provides federation capability to external applications and integrates with ISAM. After certificate validation, TFIM has the ability to federate end-users to their desired applications. Finally, ISIM allows for the storage of identities that will use PIV authentication. The integration of ISIM allows for the inclusion of identity information alongside the attributes contained on a PIV card. Included below are both a high level and low level overview of OnCloud’s Multi-Factor PIV Log-In Services.

 

OnCloud PIV Authentication – High Level Overview

2

  1. User inserts PIV card into their system and logs into the OnCloud Portal
  2. PIV certificate containing base attributes is sent to OnCloud
  3. OnCloud verifies the certificate with the Certificate Authority
  4. An enhanced credential is built for the user by combining the base PIV card attributes and attributes from the OnCloud user directory
  5. User selects a federated application from within the OnCloud Portal
  6. User is redirected to the application with a valid session and enhanced credential

 

OnCloud PIV Authentication – Low Level Overview

1

  1. User presents PIV card to OnCloud through SSL handshake
  2. OnCloud verifies the certificate is acceptable through signature and certificate status checks
  3. PIV attributes or password authentication is used to associate the PIV card credential with an existing Identity Record, or a new Identity Record is provisioned
  4. A credential is built using the PIV certificate and Identity record
  5. User selects a federated application from the list.
  6. SAML assertion is provided to the application with attributes sourced from the PIV certificate and Identity Record
  7. User is redirected to the application with a valid session

 

Solution Summary

To summarize, OnCloud easily and efficiently offers multi-factor, PIV authentication capabilities to 3rd party service providers from a centralized portal. With the inclusion of the ability to enhance session credentials with custom attributes, the full value of OnCloud can be realized by offering end-users the ability to authenticate to external applications with attributes of their choosing.