PIV-I Identity Provider
This article describes how one can implement a NIEF compliant Identity Provider that authenticates users who possess PIV-I cards that have been cross certified with the Federal Bridge PKI.
Background
Personal Identification Verification Interoperable (PIV-I) cards are smart cards issued by various organizations, typically operating at the state and local government level. The standard is designed to be aligned/interoperable with the Federal standard for PIV. Supporting this type of user base with a turnkey Identity Provider capability has tremendous value.
This implementation guide is designed around the use of free and open sourced capabilities, primarily focusing on the use of the following:
Getting Started
TBD. Assumes user is comfortable deploying a Linux (or equivalent) server with Apache HTTP, Java, and Tomcat. No specific Shibboleth experience is required to follow this guide. If a user is not comfortable deploying a the prerequisites, they should acquire that experience or collaborate with help@nief.org before attempting to follow this guide.
Enabling Authentication
TBD. Describe how to configure Apache HTTPD. Include a section on CA chaining. Include a section on OCSP/CRL. Include a sample php page for verifying authn and passing of credential data.
Installing Shibboleth
TBD. Include download links. Specify how to run the installer. Specify how to enable trusted partners. Specify how to enable X.509 Authn. Specify how to enable Shibboleth within Apache Tomcat.
Configuring NIEF Attributes
TBD. Explain how attribute resolution works. Explain how attribute filtering works. Pointers to existing connectors on github. Pointers to documentation on the Shibboleth wiki.
Testing
Just link to the NIEF Testbed part of the wiki.