PIV-I Identity Provider: Difference between revisions
| Line 12: | Line 12: | ||
== Getting Started == | == Getting Started == | ||
This guide assumes the user is comfortable deploying a Linux (or equivalent) server with Apache HTTP, Java, and Tomcat. No specific Shibboleth experience is required to follow this guide. If a user is not comfortable deploying the prerequisites, they should acquire that experience or collaborate with [mailto:help@nief.org help@nief.org] before attempting to follow this guide. The authors of this guide tested this deploy guide with [https://www.centos.org/ CentOS 7], but any modern Linux distribution that includes packages for the Apache HTTP Server is expected to work. It is likely also possible to do deploy to a Windows or other server environment as long as the deployer is able to adapt the HTTP configuration steps accordingly and that Java 8 is available for running Apache Tomcat and Shibboleth. | |||
== Enabling Authentication == | == Enabling Authentication == | ||
Revision as of 18:06, 30 January 2019
This article describes how one can implement a NIEF compliant Identity Provider that authenticates users who possess PIV-I cards that have been cross certified with the Federal Bridge PKI.
Background
Personal Identification Verification Interoperable (PIV-I) cards are smart cards issued by various organizations, typically operating at the state and local government level. The standard is designed to be aligned/interoperable with the Federal standard for PIV. Supporting this type of user base with a turnkey Identity Provider capability has tremendous value.
This implementation guide is designed around the use of free and open sourced capabilities, primarily focusing on the use of the following:
Getting Started
This guide assumes the user is comfortable deploying a Linux (or equivalent) server with Apache HTTP, Java, and Tomcat. No specific Shibboleth experience is required to follow this guide. If a user is not comfortable deploying the prerequisites, they should acquire that experience or collaborate with help@nief.org before attempting to follow this guide. The authors of this guide tested this deploy guide with CentOS 7, but any modern Linux distribution that includes packages for the Apache HTTP Server is expected to work. It is likely also possible to do deploy to a Windows or other server environment as long as the deployer is able to adapt the HTTP configuration steps accordingly and that Java 8 is available for running Apache Tomcat and Shibboleth.
Enabling Authentication
TBD. Describe how to configure Apache HTTPD. Include a section on CA chaining. Include a section on OCSP/CRL. Include a sample php page for verifying authn and passing of credential data.
Installing Shibboleth
TBD. Include download links. Specify how to run the installer. Specify how to enable trusted partners. Specify how to enable X.509 Authn. Specify how to enable Shibboleth within Apache Tomcat.
Configuring NIEF Attributes
TBD. Explain how attribute resolution works. Explain how attribute filtering works. Pointers to existing connectors on github. Pointers to documentation on the Shibboleth wiki.
Testing
Just link to the NIEF Testbed part of the wiki.