• Home
• About GFIPM
• Organizational Guidelines
• Technical Standards
• Implementation
• Outreach
• Federations
• OJP GFIPM Page

Choosing the Right Federation

Table of Contents

1 Prerequisites

The reader should have a general understanding of the concepts of federated identity [1] and an executive-level understanding of the manner in which federated identity concepts are successfully tested and implemented for the justice community under the auspices of the Global Justice Information Sharing Initiative (Global) [2] through the Global Federated Identity and Privilege Management (GFIPM) project. If you do not already have this understanding, you should first read the article "GFIPM Concept: Federated Identity and Privilege Management", which is located on the GFIPM.net Website. [3]

2 Target Audience

This document is intended for business decision-makers, working in conjunction with their Information Technology (IT) support staff at justice and public safety organizations, who are tasked with expanding their capability to share critical information within and across jurisdictional, political, and geographical boundaries.

The purpose of creating or joining an Information Systems Sharing Federation is to securely and rapidly share information within a group of "trusted" business partners.

The purpose of this document is to provide a step-by-step guide to help decision makers select the federated identity solution that best suits their needs. The document will guide the reader through the steps necessary to select the most appropriate federation security solution. Each of these possible federated identity solutions is further discussed in some detail:

1. Join the established GFIPM-based criminal justice identity federation called the National Information Exchange Federation (NIEF). [4]
1. Join NIEF as an individual enterprise.
2. If you are part of an existing federation, your federation can join NIEF and combine the benefits of your federation with those of NIEF.
3. Join NIEF using an identity management system through a GFIPM-based Trusted Identity Broker.
2. Build your own identity federation using the Global Federated Identity and Privilege Management (GFIPM) guidelines for governance and operational policies and procedures. [5]

It is certainly possible to build an identity federation from scratch without the benefit of the GFIPM standard policies and procedures; however, that option will not be discussed in this document.

3 Value Proposition

Building or joining an existing GFIPM identity federation provides an organization with a cost-effective and interoperable security solution for promoting expanded information sharing by leveraging existing systems and resources without adding ongoing administrative burden.

By using the GFIPM federated identity solution, organizations can realize two major benefits. First, they can centralize the administration of their users’ roles and access privileges while providing greater authorized access to external systems in a more timely fashion. Second, organizations can provide authorized access to their existing systems to a broader base of users in other organizations, without the overhead of managing external user accounts. GFIPM provides the requisite technology and policy infrastructure to permit sharing system security, user authentication, and data access rules and attributes that enable secure, legally compliant and policy conformant information sharing transactions across system user communities.

In addition to benefiting organizations, GFIPM can also provide valuable benefits to end-users in the form of reduced complexity, increased convenience, and increased privacy when accessing internal and external data sources. These benefits include GFIPM’s single sign-on (SSO) technology as well as a rich and semantically precise taxonomy of information attributes about users. End-users will have fewer security forms to fill out, fewer passwords to memorize, fewer security credentials to manage, and tighter control over the personal information that is often required by data providers.

The net result of these benefits to the organization and users is broader information sharing. By providing participating organizations and systems with a means of sharing and enforcing their local access and authentication rules, we build a trusted environment in which broader information sharing is possible. By reducing the administrative access and user management burden on our justice and public safety organizations, we build an environment in which broader information sharing and more effective security management among our end users is sustainable.

4 Choosing the Right Federation: Join or Build?

The first step in providing your organization with a reliable and secure information-sharing capability via federated identity technology is to choose whether to join an established federation, build one from scratch, or do both. To help you make that decision, ask yourself the following questions.

1. Who are my organization's potential information-sharing partners? (I.e., which organizations have information that would be useful to my users and/or have users that would be interested in information that my organization controls?)
2. Are some or all of my organization's potential information-sharing partners already part of an identity federation?
3. Does my organization include users who could benefit from easy access to a greatly expanded set of information sources? (Do I want to be an Identity Provider (IDP)?)
4. Does my organization have information that would be valuable to a great many people, other than those that are already part of my current user base? (Do I want to be a Service Provider (SP)?)
5. Does my organization want to be both an IDP and an SP?

If you answered "no" to questions 3 and 4 above, then federated identity might not be right for you. You can stop reading here and investigate a more traditional access control solution. But if you answered "yes" to question 3 or 4, then you should continue reading to discover the path to the best federated identity solution for you.

4.1 Decision: Join an Established Federation

You should join an established information-sharing identity federation if you can answer "yes" to the majority of the following questions: (Note: If you answered "no" to the majority of the questions above, you can proceed to the section titled Building an Identity Federation Based on GFIPM Standards.)

1. Do some or all of my organization's potential information-sharing partners belong to one established federation? If so, will my organization's all other information partners be likely to join?
2. Does the underlying technical architecture of the federation match well with my organization's local technical architecture?
3. Would my organization benefit from not having to create all of the policies, procedures, governance documents, and infrastructure required to launch and sustain a successful identity federation?
4. Are the "rules" of the established federation agreeable to my organization (i.e. generally consistent with rules and policies that my organization already follows)?
5. Is the established federation likely to survive in the long term?
6. Will it cost my organization less to join the established federation than it would cost to create a federation from scratch and then attract partners to my federation?

There are currently two major justice-related secure information sharing federations operating at the national level.

1. National Information Exchange Federation (NIEF)
2. FBI Criminal Justice Information Services (CJIS) Trusted Broker Federation [6]

NIEF is the first operational information-sharing identity federation based upon all of the approved GFIPM standards. NIEF members include representatives from the federal, state, local, and tribal law enforcement organizations (i.e., Los Angeles County, the Criminal Information Sharing Alliance (CISAnet), the Pennsylvania Justice Network (JNET), the Regional Information Sharing Systems (RISS), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI)).

Currently, the FBI CJIS Trusted Broker partners are predominantly U.S. federal agencies (i.e., DOJ and DHS), although there are partners representing state, local, and tribal law enforcement (i.e., RISS and the Chicago Police Department). The remainder of this document will focus on joining NIEF, which is an established GFIPM-based justice-related federation that supports the full set of GFIPM attributes.

It should also be noted that the CONNECT Consortium [7], justice related secure information sharing federation at the regional level, was built on the version 1.0 of the GFIPM Metadata Specification. The current version of the GFIPM Metadata Specification is 2.0. The CONNECT Consortium has provided valuable implementation input that has resulted in significant improvements to the GFIPM standards.

4.2 Decision: Build a New GFIPM-Based Federation

You should consider building your own information-sharing identity federation based upon the GFIPM standards if the following statements are true.

1. Your potential information-sharing partners are not already members of an established identity federation.
2. Your potential partners and you dedicate the time needed to:
1. Review all the GFIPM documentation.
2. Adapt the documentation to the specific needs and environment of the partners’ systems.
3. Establish a federation governance structure to help expedite federation-wide decisions, resolve federation-wide technical issues, and resolve disputes among federation members.
4. Meet regularly to govern the federation.
3. You and your partners can bear the cost of creating and maintaining the centralized management services required by any federation that has more than two members. Required support services typically include:
1. High-level support for partner Help-Desk services.
2. A centralized repository of federation standards, procedures, and technical documentation required for supporting the federation over the long term.
3. Administrative support for the governance function, including managing meetings, tracking agreements and disputes between partners, and assisting new and potential partners in joining the federation.

Even if some of your information-sharing partners already belong to a federation, you may still want to consider building your own federation with other partners and then joining the two federations together at a later date.

If you and your information-sharing partners have decided to build a federation, you can skip the next section (Joining NIEF) and proceed to the Building an Identity Federation Based on GFIPM Standards section below. Keep in mind that even if you build your own GFIPM-based federation, you can still join your entire federation to NIEF in the future.

5 Joining NIEF

This section describes the benefits of joining NIEF and also provides guidance for choosing how to join NIEF.

5.1 Immediate Benefits

There are several important benefits that your organization can realize by becoming a member of NIEF.

1. More Resources

   If you are joining NIEF as an IDP, you will immediately benefit from the wealth of justice-related information resources at all levels of government that are already available to you from the current NIEF partners. Examples of justice information systems that can provide immediate business value to your organization and users through NIEF include the Pennsylvania Justice Network (JNET) [8] at the state level, Criminal Information Sharing Alliance (CISAnet) [9] at a multi-state level, the Regional Information Sharing Systems (RISS) [10] at a national and international level, the Homeland Security Information Network (HSIN) [11], Law Enforcement Online (LEO) [12], and OneDOJ [13] at the federal level.

2. More Users

   If you join NIEF as a SP, you will immediately benefit from its more than 95,000 users [14] representing various justice-related organizations. The NIEF user base can immediately expand your information systems user base without requiring you to manage any additional user accounts.

3. Reduced Management Burden

   When you join NIEF, you become a partner in an established federation that already has the necessary governance, administrative policies and procedures, and administrative and management staff in place to support the federation. Instead of creating these services from scratch, or even creating a new federation using the standard set of approved GFIPM documentation [15], you simply complete the application and onboarding process [16] and you can start sharing information.

   Perhaps the greatest advantage of joining NIEF over creating a new federation from scratch using GFIPM standards is that in NIEF, the federation governance is already functioning. Below are some examples of the day-to-day operational responsibilities of the governance body for NIEF.

   • Develop policies and guidelines pertaining to the definition and usage of the GFIPM Metadata Specification for end-user attributes.
   • Implement approved processes for determining the membership of any new party in the federation.
   • Develop a technical architecture and provide normative technical specifications describing it, including the interface specifications for technical interoperability within the federation.
   • Conduct day-to-day operational services (e.g., audits, application review/completion, prepare materials for board meetings).
   • Define and manage the change management processes for the federation.
   • Conduct interoperability testing of candidate commercial products to determine their compatibility with federation standards and their suitability for use in the federation.
   • Audit the conformance of applicants with respect to membership standards, including IDPs’ mapping of their local policies and user attributes into a federation standard attribute language and SPs’ mapping of their local access control policies into Boolean logic based on a federation standard attribute language.
   • Manage and implement accepted federation standards and protocols operating within the federation.
   • Be the accountable authority to ensure validity and completeness of the approved partner documents within the federation.
   • Facilitate the roles, relationships and mutual obligations of all parties operating in the federation.
   • Coordinate help-desk efforts and provide engineering support.
   • Provide administrative support for the federation’s Board of Directors.
   • If you create your own federation, your federation will need to assume most or all of these responsibilities.

5.2 Which Type of NIEF Membership is best for you?

There are three types of NIEF memberships.

1. Enterprise – If you control access to resources that your organization enables or owns, and you have authority to effectively enable these resources to be shared with NIEF members, and/or you have the primary management responsibility for the user accounts for which you are currently acting as an IDP, then you can join NIEF as an Enterprise member.
2. Existing Identity Federation – If your organization already participates in a SAML-based identity federation that has service providers and/or identity providers, and your federation partners wish to share information with members of NIEF, then you can join NIEF as an Existing Identity Federation.
3. Trusted Identity Broker – If you provide identity brokering services, including translating various credentials to a single SAML-based credential for a number of organizations, you can join NIEF as a Trusted Identity Broker.

If you are not certain which type of membership is right for you, NIEF representatives will help you decide as part of the onboarding process described in the section How to Join NIEF below.

5.3 How to Join NIEF

Once you have decided to join NIEF, you can begin the onboarding process. Start by visiting the NIEF Website at https://nief.gfipm.net/ where you can discover more information about NIEF. To gain access to all of the documentation you will need to become a member of NIEF, please visit the "Prospective Members" page on the NIEF website at https://nief.gfipm.net/prospective.html. The first document you should read is the NIEF Operational Policies and Procedures document, which describes the process for onboarding to NIEF in great detail.

6 Building an Identity Federation Based on GFIPM Standards

The charter members of the GFIPM project have dedicated many person-years of effort to establishing a set of tools that can be used by any justice-related organization desiring to establish an information-sharing federation. These tools include normative technical standards, policy document guidelines and templates, and sample software implementations. Although you can certainly establish an identity federation without using the GFIPM guidance and documentation, in most cases it is wiser to take advantage of the existing tools that have already been completed and proven effective for this purpose. Also, should you later decide to connect your federation to NIEF or another justice-based federation that also uses the GFIPM standards, the likelihood of achieving interoperability at a technical and policy level will be very high.

If you have decided to base your identity federation on the GFIPM standards, you should keep in mind that all of the lessons that were learned through this pioneering project are encapsulated in the suite of GFIPM work product documents that are available at http://gfipm.net/. The first step in the process of establishing an identity federation built on GFIPM standards is to become familiar with these standards.

6.1 Get Familiar with the Details

After you are familiar with the information available on the GFIPM.net website, you can start the process of establishing your own identity federation by reviewing and discussing the following two GFIPM resources with your federated identity information-sharing partners:

1. GFIPM Operational Policies and Procedures Guidelines [17] – This document describes the operational policies and procedures that govern the basic operation of a federation for trusted information sharing, including federation membership, change management for federation standards, help-desk policies, etc. It also contains some normative language related to operational protocol between parties in the federation.
2. GFIPM Implementation Wiki [18] – This is a community-supported website that provides detailed instructions for implementing identity providers (IDPs) and service providers (SPs), which are the two ways that organizations can participate in user-to-system transactions as specified in the GFIPM Web Browser User-to-System Profile. The wiki contains articles that cover all aspects of IDP and SP implementation, from requirements analysis to system deployment.

6.2 Get Executive Support

Perhaps the most critical task in establishing an identity federation is acquiring committed support from the executives at each of the partner agencies. The executives must provide that support with the full understanding of the potential costs in time and money that will be required to see this endeavor through to success. It would be a good idea to develop a business plan that explains the purpose and value proposition of your proposed federation. You can use the wealth of information about GFIPM that exists on the GFIPM.net website as the foundation for your business plan.

If you and your partners already have a governance board where executives from each of the partner organizations have input, you may want to seek executive support through this existing body.

6.3 Get Organized

Once you have executive support, it is imperative to the success of your venture that you establish a governance structure to manage the implementation of the federation. The GFIPM Governance Guideline [19] document provides some direction on how your federation can be governed. This document defines the governance structure for a GFIPM federation, including the parties that play a role in the governance structure (e.g. Board of Directors, Federation Management Organization, Identity Provider Organizations, Service Provider Organizations, Trusted Identity Broker Organizations, etc.) and the responsibilities and decisions made by each party.

One of the first orders of business for the federation governance body is to establish a working group of key technical and policy persons who will review all of the GFIPM documentation, decide which parts of the GFIPM solution apply to your federation, and guide the implementation process according to those decisions. The members of this governance group must be able to represent their respective organizations in technical and policy decisions. Also, for the sake of continuity, these persons must, as much as possible remain part of the working group throughout the process at least until the federation is up and running.

6.4 Get Started

At a high level, the working group can accomplish its goals with the help of GFIPM documentation by facilitating the completion of each of the following tasks by each federation partner.

1. Identify their role in the federation as an Identity Provider (IDP), Service Provider (SP), or both.
2. Review the GFIPM technical standards and make a recommendation to the governance body as to how the federation should implement them.
3. Review the GFIPM Operational Policies and Procedures Guidelines and the GFIPM Implementation Wiki and develop a plan for implementing the federation based upon the information they provide.
4. Begin the process of application submission, review, and approval.
5. Begin the technical implementation and on-boarding processes for each of the federation partners.

Based upon the working group’s input, the governance body should make the necessary decisions for setting up and creating the operational entity (Federation Management Organization) that will support the federation. The Federation Management Organization will manage the day-to-day operations of the federation, including implementing and managing any common shared infrastructure (e.g., the federation’s Identity Provider Discovery Service, Certificate Authority, and help desk function) necessary to support the federation.

7 Glossary

Attributes are professional characteristics of a user that have been verified by an IDP, which allow that user to access particular sets of services provided by an SP.

A Federation Management Organization is responsible for the day-to-day operations of the federation.

Governance entails the establishment and ongoing operation of a formal organizational structure that: (1) ensures the federation is operating according to its adopted policies and procedures, and (2) handles the resolution of any disputes that may arise between federation partners or between the federation and any other entity.

An Identity Provider Organization (IDPO) is an organizational entity that manages users and user identities. An IDPO conveys information about an end user to a Service Provider Organization (SPO) and performs basic user management tasks such as vetting, credentialing, and authentication.

A Service Provider Organization (SPO) is an organizational entity that manages resources. An SPO maintains complete, autonomous control of its resources and performs basic resource management tasks, including definition and enforcement of resource access requirements and access control policies based on information provided about users from Identity Provider Organizations.