GFIPM Enablement of Resources
| Main Page |
This article describes common methods of enabling applications to be used with a GFIPM Service Provider (SP). Distinctions are made between new and legacy applications and how their enablement may differ.
Introduction
From the user's perspective, the implementer's primary job is to make a large set of resources available on the Service Provider. From the implementer's perspective, the implementer's primary job is to retain and enforce the usage requirements of his resources; in other words, ensuring that access control and security requirements are met by all users. Techniques exist through which a wide range of legacy resources in the law enforcement domain can be made available to federation users. The process of making a resource available to federation users is called federation enablement.
As a federation grows, resource owners will look to the GFIPM model to help them realize the following value propositions of federated identity and privilege management.
- Achieve resource sharing with a large base of established users and partners who would normally not have access to their resources, while keeping costs low.
- Provide a simplified and improved user experience (via single-sign-on access to all federation resources, subject to access control policies).
- Provide better security and privacy protection for users' personal data (via the reduction or elimination of redundant data capture and storage processes).
But achieving federation enablement for a wide range of legacy resources can be challenging in that they can be very diverse in many aspects, including application architecture, implementation platforms and vendor products, type and structure of resource, application functionality, support model, security and access policies, etc. Many insights and lessons about federation enablement of resources have been gained from current federation members during the process of federation-enabling several existing resources.
Applications and resources tend to have usage requirements that must be met by all of their users. Most usage requirements fall into the following categories:
| ■ | Terms of Use | The application may require that a user agree to specific terms of use before using it. |
|---|---|---|
| ■ | Provisioning | The application may require that a user register a local account with it before using it. |
| ■ | Inter-Session Persistence | The application may need to maintain status about the user from one session to another. |
| ■ | Identification | The application may need to know the user's identity at all times while the user is using it. |
| ■ | Access Control | The application may impose certain access restrictions based on some combination of the user's rank, certifications, role, or some other important personal characteristics. |
| ■ | Auditing | The application may log all actions performed by a user in an audit log for review, compliance, etc. |
| ■ | Personalization | The application may need to maintain miscellaneous personal data about a user for the purpose of delivering certain features. For example, locality information would help the application deliver a list of alerts or bulletins that specifically pertain to a user's region or locality. |
One of the fundamental tenets of the GFIPM concept is that resource owners must be able to maintain control over the usage requirements of their resources within the federation and are not forced to modify the requirements in a manner they find unacceptable. GFIPM allows a wide range of existing resources and applications to be federation-enabled and made available to federation users in a manner that fulfills the usage requirements of those applications.
The GFIPM concept provides many valuable tools that help to simplify federation enablement of resources, while still allowing those resources to meet their usage requirements.
- Federation-wide policy-level agreements and memoranda of understanding can form the basis of interagency trust, which can be layered with additional bilateral or community agreements as required.
- The basic SAML-based infrastructure provides a standard means of authentication/identification of users and the convenience of SSO.
- The GFIPM metadata provides detailed personal information about individual federation users, including identification, contact information, affiliations, memberships, certifications, and basic data access privileges within the user's home organization. This information can be trusted because it comes to the resource from a secure, trustworthy, authoritative source: the user's IDP.
The following information will help federation implementers better understand the basic federation enablement options that are available to them for various categories of resources:
- Resource Integration Profiles
- Resource Integration Techniques
- Profiles and Techniques for Existing Resources
Profiles and Techniques for Existing Resources
To provide a more concrete perspective on the discussion about integration profiles and integration techniques in the previous two sections, this section contains summary information about how resources currently in the federation were federation-enabled.
The table below provides a sample of NIEF resources and provides each resource's integration profile and integration technique used to GFIPM-enable the resource. It is important to note that while the table provides some insight into the breakdown of GFIPM resources for federation enablement purposes, it is not necessarily representative of the broader set of information sharing resources in the justice community.
| Resource Name | Integration Profile | Integration Technique | |
| CISA | Arizona Counter-Terrorism Information Center (ACTIC) | 1 | 1 |
| Arizona Sex Offender Information Center | 1 | 1 | |
| Arizona Amber Alert | 1 | 1 | |
| Georgia Bureau of Investigation Sex Offender Registry | 1 | 1 | |
| Oklahoma State Bureau of Investigation Officer Safety Bulletin | 3 | 2 | |
| Texas Criminal Law Enforcement Online (CLEO) | 3 | 2 | |
| California Joint Regional Information Exchange System (JRIES) | 3 | 2 | |
| CISAnet Federated Query Tool | 2 | 3 | |
| JNET | Pennsylvania Department of Corrections Intake/Exit Photos | 3 | 2 |
| Pennsylvania Arrest Warrants Outstanding for Parolees who Failed to Report (Absconders) | 3 | 2 | |
| Pennsylvania State Prisoner Locator | 3 | 2 | |
| Pennsylvania Criminal Trial Case Information | 3 | 2 | |
| Pennsylvania Arrest Warrants Outstanding for Failure to Pay Child Support | 3 | 2 | |
| Pennsylvania Amber Alert | 3 | 2 | |
| GFIPM Lessons Learned | 1 | 3 | |
| RISS | HSIN Counterterrorism Briefs, Reports, and Documents | 1 | 3 |
| RISS Counterterrorism Briefs, Reports, and Documents | 1 | 3 |
Integration Profiles and Integration Techniques for Resources in NIEF
