EPIC: Authentication/Authorization Management

[afeld]

What software-as-a-service (SaaS) do we use that can be hooked up to existing in-house authentication providers?

Authentication options:

• SecureAuth
  • https://drive.google.com/file/d/1BWTSFMAfUzPqgQ2p3Ks-oVDbXZZzHtOq/view
  • https://docs.google.com/document/d/1_tJlC_GcUG6n6641iIg4QSfwSb3h8ginLhIW3EFj4C0/edit
• login.gov
• cloud.gov UAA
• Google
• GitHub
• AWS SSO
• ForgeRock through FAS
• Okta
• MAX.gov Authentication

Authorization options:

• IAM?
• GitHub teams?
• Sailpoint - being rolled out by GSA
• AWS Directory Service
• AWS Cognito

We may need separate systems to handle authentication and authorization. The benefits for users are having fewer accounts to manage and fewer credentials. The big potential benefit on the administration side is automatic granting/revoking of access, based on things like:

• Having an @gsa.gov email address
• Being a member of the 18F staff Github team

This could cut out a lot of need for #admin-* acitivites, which is purely toil, making onboarding and offboarding easier and more consistent. Example services that would be good candidates:

• Trello - requires Business Class
• Slack
• GitHub - SAML requires Enterprise, but could sync team additions/removals
• HackerOne
• AWS
• Mural - requires Enterprise for SAML
• HubSpot
• CloudCheckr
• StatusPage
• New Relic
• Adobe

Will make sense to break each out to a separate issue once we want to prioritize them.

cc #27

[afeld]

Per @mogul in Slack:

[SecureAuth is] SAML 2.0. There's likely traffic on the topic in the cloud-gov-operators Google Group with someone in GSA IT

[amoose]

HubSpot, too? Login.gov is going to get an enterprise license for HubSpot which supports external IdPs.

[afeld]

Notes from 8/2 meeting.

[afeld]

Split the list at the top into authentication and authorization. Please double-check, and feel free to edit directly if I got any wrong.

[brittag]

For cloud.gov, GSA SecureAuth and Google SSO are by far the best auth options for our security compliance requirements (because GSA SecureAuth is a "corporate" service that we use already, and G Suite has a Moderate FedRAMP authorization and we use it already). Anything else may require extra paperwork for us and could potentially be a blocker for us. For example, our authorizing team has previously disapproved of us using GitHub auth for non-GitHub services, especially because our use of GitHub does not have a FedRAMP Authorization (only the GitHub Enterprise Cloud product does, and that's only Low impact).

[amoose]

SecureAuth utilizes SHA1 signatures, redirects to arbitrary URLs and does not validate RP signatures.