Appendix T

KEUPS Integration

The CHFS security system, Kentucky Enterprise User Provisioning System (KEUPS), shall be utilized and integrated into the final systems design. KEUPS leverages .Net 4.0, SQL 2008 and ADFS 1.1. Commonwealth is envisioning upgrading to ADFS 2.0 that may warrant some changes to current functionality.

All appropriate security functions for these solutions shall be integrated with KEUPS, which is an identity management and single sign-on system with workflow based user provisioning/de-provisioning, support for extended security attributes, and support for claims aware applications via an Active Directory Federated Services (ADFS) based runtime authentication environment.

The following diagram depicts the technical layers within the solution:

Figure 1 - KEUPS Conceptual Layers

For systems to integrate with KEUPS, applications must support Microsoft’s ADFS standards based Web Single Sign-On (SSO) service that enables federated identity by implementing claims based authentication. A claim is a declaration made by an entity (e.g. name, identity, group, privilege, attribute, etc). The below section will discuss the fundamental architecture, technology standards, and how an application is envisioned to integrate.

1.SSO, Authentication andUser Provisioning

a.Access to Applications will be handled through Integration with KEUPS.

b. Internal Users (such as state employees) and External Users will be handled differently in KEUPS.

c.Web applications will interface with KEUPS through ADFS.

d.New applications integrating with KEUPS must be ADFS/WS Federation compliant (Claims Aware) application.

e.Links to the Applications that users are authorized to access will be provided via KEUPS landing page

  1. Security Roles

a.Application access levels will be handled via User roles associated to functions and permissions defined within each application.

b.Applications will be registered within KEUPS

c.Application user roles will be provided by the individual applications and defined in KEUPS

d.KEUPS only handles provisioning/access security. Individual applications will be responsible for implementing the functions and permissions of each role type. Applications will also need to maintain authorization and logging of actions once user has gained access.

e.Applications will use the SAML token passed by KEUPS. This SAML token will provide the application information about the user’s identity and membership in roles.

  1. User Store

a.Repository of User enrollment and attributes will be held within KEUPS store.

b.To gain access to this information, the application will need to integrate via an API or access the information via the SAML token.

c.Applications will make API calls directly to KEUPS through the secure (HTTPS) SOAP based web services.

d.API will be utilized for user profile queries, retrieving application user agreements, credentialing, etc.

e.Base API will be provided for customization and implementation by on-boarding application

  1. Environments

a.New on-boarding applications will be responsible for all aspects of solution environment integration with KEUPS such as:

  • Mapping and integration of application environments with KEUPS environments
  • Integration testing
  • End to end testing of all API(s)
  • Performance testing
  • Design Documentation

b.As part of the integration efforts, new Applications will also be responsible for providing items such as:

  • List of Application Roles
  • Workflow for each role (i.e. approvers and credentials)
  • Requirements for any claims that will be packaged in the SAML token
  • Information needed via API must be prescribed.
  • Integration Documentation

The Vendor shall not be responsible for changes in the KEUPS application. The Vendor shall be responsible for performing all JAD sessions necessary to design all security requirements, integrating the solutions into the KEUPS environment and any development required by the solutions outside KEUPS functionality.

  1. Major KEUPS Functionality for Internal Users:
  1. Application Management – All solutions shall be defined in KEUPS.
  2. Account Creation – All internal users must have an account on the existing CHFS Active Directory and defined in KEUPS. If this account does not exist, KEUPS shall be utilized for new account creation.
  3. Role Management – Each solution shall be defined as an application in KEUPS, and any necessary security role types shall be configured and managed in KEUPS. This information shall be passed to the solution.
  4. Internal User Account Management – KEUPS will handle all user account management. This functionality includes creating, updating and terminating users and user access to each application within KEUPS. All internal users shall be managed via KEUPS in order to have access to a specific role for each solution.
  5. User/Usage Agreements – Enterprise and Departmental User/Usage Agreements and user responses to such agreements shall be stored and maintained in KEUPS. Solutions must acquire an agreement from KEUPS via a Web Service API in order to display the agreement to the user and must return the user response to KEUPS for storage.
  6. Single Sign-on – All on-boarding applications must participate in the KEUPS Single Sign-on solution, which will provide access to all solutions via the KEUPS landing-page without requiring the user to sign on to any of these applications and/or launching the application from each application’s web page. All application access will be initiated from the KEUPS landing page.
  7. Two factor authentications are required for all users that utilize KEUPS to access their application. The first is their workstation login ID and the second is a four digit PIN that is user self-administered. This is currently implemented within the solution.
  1. Additional KEUPS Functionality for external users
  1. User registration – Citizen User Registration shall occur via KEUPS. The process shall require the requesting user to provide an e-mail address select and answer two security questions and submit an e-mail verification response.
  2. User Request for Access – Following User Registration, KEUPS shall present the user with the ability to request access to an application.
  3. Credential Management – During the request for access, the user shall be required to enter various credentialing and non-credentialing information. This information shall be made available to the user and may be updated at user request.
  4. Password management – During User Registration the user shall be required to provide a password. KEUPS password management includes current industry security standards as they relate to challenge questions and responses, user profile updates and account and password resets.
  1. Vendor KEUPS Security Responsibilities, The Vendor shall:
  1. Work with the CHFS Security Team and facilitate JAD sessions necessary to identify and design all aspects of the solutions necessary to assure a seamless integration of all solutions with KEUPS.
  2. Coordinate communicate and facilitate business and technical JAD sessions in order for the vendor to design and develop all security roles, credential types and validation requirements and any required additional components to assure robust security for all solutions.
  3. Applications integrating with KEUPS shall be designed as ADFS/WS compliant. The Vendor shall work with the Commonwealth Security Team to define custom claim data necessary for secure access to the solutions.
  4. Design, develop, test and implement all solution functionality required to validate credentials, pass validation and user agreement information back to KEUPS, assure access to information is restricted by security role and custom claim data, and any required additional security components necessary for successful implementation of the solutions.
  5. Design and develop all solutions to be claims aware and participate in Single sign-on.
  6. Design and develop all solutions to utilize role-based security
  7. Provide work necessary for the initial on boarding of users to the new solutions, which shall include, but not be limited to, working with the CHFS Security Team to compile, provide data mapping including initial User Provisioning information via KEUPS for all existing internal users.
  8. Design, map, integrate and test solution environments with the KEUPS environment including performance testing.
  1. Commonwealth KEUPS Security Responsibilities:
  1. The Commonwealth will assure all relevant modifications to KEUPS are made.
  2. The Commonwealth will participate in meetings and JAD sessions as necessary.

Appendix T – KEUPS Integration1