GFIPM Enablement of Resources
This article describes common methods of enabling applications to be used with a GFIPM Service Provider. Distinctions are made between new and legacy applications and how their enablement may differ.
From the user's perspective, the implementer's primary job is to make a large set of resources available on the Service Provider. From the implementer's perspective, the implementer's primary job is to retain and enforce the usage requirements of his resources; in other words, ensure that access control and security requirements are met by all users. Techniques exist through which a wide range of legacy resources in the law enforcement domain can be made available to federation users. The process of making a resource available to federation users is called federation enablement.
As a federation grows, resource owners will look to the GFIPM model to help them realize the following value propositions of federated identity and privilege management.
- Achieve resource sharing with a large base of established users and partners who would normally not have access to their resources, while keeping costs low.
- Provide a simplified and improved user experience (via single-sign-on access to all federation resources, subject to access control policies).
- Provide better security and privacy protection for users' personal data (via the reduction or elimination of redundant data capture and storage processes).
But achieving federation enablement for a wide range of legacy resources can be challenging in that they can be very diverse in many aspects, including application architecture, implementation platforms and vendor products, type and structure of resource, application functionality, support model, security and access policies, etc. Many insights and lessons about federation enablement of resources have been gained from current federation members during the process of federation-enabling several existing resources.
Application and Usage Requirements
Applications and resources tend to have usage requirements that must be met by all of their users. Most usage requirements fall into the following categories:
|■||Access Control||The application may impose certain access restrictions based on some combination of the user's rank, certifications, role, or some other important personal characteristics.|
|■||Auditing||The application may log all actions performed by a user in an audit log for review, compliance, etc.|
|■||Identification||The application may need to know the user's identity at all times while the user is using it.|
|■||Inter-Session Persistence||The application may need to maintain status about the user from one session to another.|
|■||Personalization||The application may need to maintain miscellaneous personal data about a user for the purpose of delivering certain features. For example, locality information would help the application deliver a list of alerts or bulletins that specifically pertain to a user's region or locality.|
|■||Provisioning||The application may require that a user register a local account with it before using it.|
One of the fundamental tenets of the GFIPM concept is that resource owners must be able to maintain control over the usage requirements of their resources within the federation and are not forced to modify the requirements in a manner they find unacceptable. GFIPM allows a wide range of existing resources and applications to be federation-enabled and made available to federation users in a manner that fulfills the usage requirements of those applications.
The GFIPM concept provides many valuable tools that help to simplify federation enablement of resources while still allowing those resources to meet their usage requirements.
- Federation-wide policy-level agreements and memoranda of understanding can form the basis of interagency trust, which can be layered with additional bilateral or community agreements as required.
- The basic SAML-based infrastructure provides a standard means of authentication/identification of users and the convenience of SSO.
- The GFIPM metadata provides detailed personal information about individual federation users, including identification, contact information, affiliations, memberships, certifications, and basic data access privileges within the user's home organization. This information can be trusted because it comes to the resource from a secure, trustworthy, authoritative source: the user's IDP.
The following articles will help federation implementers better understand the basic, federation-enablement options that are available to them for various resource categories:
- Profiles and Techniques for Existing Resources
- Resource Integration Profiles
- Resource Integration Techniques