The Gluu in an NSTIC Pilot


The goal of this NSTIC Pilot

Last week, there was a lot of press around the the announcement of this year’s NSTIC pilots. Here at Gluu, we are excited to participate in one of these projects, and are hopeful that it will be a nice showcase for free open source software and the power of open standards for security. The goal of this blog is to shed some light on how the Gluu Server will help this project come to life. Note, these are my thoughts as CEO of Gluu, and don’t necessarily reflect the opinion of MorpoTrust, the lead contractor, NIST, the State of North Carolina, or any of the other contractors.

So what is this pilot about? In my opinion, its about one thing: electronic enrollment. You can think of enrollment as a kind of online registration. You know the drill–you need an account on a website, you fill out a form, pick a password, validate some “CAPTCHA”, perhaps validate your email, and you’re off to the races.

However this ritual has a few weaknesses: there is not a strong link to an actual person. With a plethora of ways for hackers (or your friends) to figure out your passwords, control of an email account hardly provides much of an assurance that the actual person filled out the registration form. In identity geek parlance, we call “identity proofing” the process where you correlate a person to an electronic credential. Email validation is a very weak form of identity proofing, sufficient for only low value transactions.

Where are we today?

Today, in many situations, identity proofing requires you to show a printed government issued ID. As a person needs to transact more important business online, the strength of that identity-proofing process needs to also increase. Here is an extreme example, but it makes a point. Recently I was issued a US Dept. of Interior smart card. It was really a pain in the neck. I had to drive to Temple TX from Austin, which is 70 miles north. This was the nearest DOI office that was authorized to issue these cards. I presented two forms of valid ID. At that meeting, they collected high quality biometrics (fingerprint and photo). Subsequently I was interviewed by the FBI at my office, and I provided contact information for my family and childhood friends. After background checks, my ID was ready. I asked for it to be FedEx’d. No way… I had to drive 70 miles back to Temple, TX. At which point, they verified the previously collected biometrics. And after some chit-chat, I was handed my smart card–280 miles and four hours of driving later. I’ll say one thing: they were pretty darn sure that they handed that ID to Michael Schwartz. But it was an expensive and inconvenient process.

The North Carolina Food and Nutrition Services Program online also needs to issue electronic credentials to citizens. As I understand it, some people in North Carolina who need the benefits offered by this program might be quite far from a physical office. Wouldn’t it be great if there was some way we could save them the drive? There are many reasons why this makes sense. But there is only one problem: there is no alternative to the “in person” identity proof.

How will this Pilot help?

The magic in this pilot would be to develop an alternative to the in person identity proof by leveraging the sensors of a mobile device. Can the camera of a mobile device collect enough data to identify me as well as a person could do it? Its not that far-fetched, especially for me (when I passed age 40, let’s just say my visual acuity isn’t what it used to be…) The precedent for electronic “non-in person” enrollment just doesn’t exist. But once it does, we could see many services that required in person identity proofing–like voting–have a better chance of becoming a reality.

So what is the Gluu Server going to do to help make this magic happen? For those who have never heard of Gluu, we publish free open source Internet security software that is used by universities, government agencies and companies to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access.

In this pilot, there are two critical authentications: the first time you enroll, we need to identify you using information gathered from the mobile device, and compared against information held by the State of North Carolina, and other contextual information (like your location). This authentication might be a little bit inconvenient, but it may save you hours of driving! After this initial authentication, we will use crypto techniques to enable you to re-authenticate very conveniently–without even using a password.

The algorithms to do this identification (to do the image processing for example), or to detect fraud, are proprietary. I understand that these will be supplied by MorphoTrust and the University of Texas Identity Center. The Gluu Server is used to communicate with the mobile device, to communicate with servers that analyze the data secured inside the state environment. It is the “glue” (no pun intended) between the mobile device and the backend identification engine.

In conclusion…

Identifying a person is only half the battle. The second half of the battle is authorizing the person to access certain protected APIs, that will be used by the mobile application to do its business. The Gluu Sever provides a way for a domain (in this case the State of North Carolina), to define policies that can control which people, using which devices, can access which APIs. IT veterans may not be impressed. Oracle, IBM, and Computer Associates all have software that can perform this function. However, the Gluu Server is the only free open source platform that uses open standards to enable centralized access management.

Ultimately, the vision of Gluu, and the vision of NSTIC area aligned: to make the Internet a safer place. Its an honor to participate in such an effort, and we’re looking forward to serving the citizens of North Carolina to the best of our ability.

  • Pingback: PR from our recent NSTIC Pilot Award | Gluu | Blog()

  • =david.l.woolfenden

    Mike, nice story, can you comment on the specific standards that your Gluu Server is supporting for this project?

    • William Lowe

      Hey David, the Gluu Server includes a SAML and OpenID Connect IDP and an UMA Policy Decision Point (PDP). The server also supports the SCIM protocol. You can learn more at

      • =david.l.woolfenden

        William, Hello and thanks for the insight into Gluu Server supported protocols/standards. I am really trying to understand, specifically, which protocols/standards are in use on this NSTIC Pilot project. Is it OpenID based or not?

        • William Lowe

          OpenID Connect and UMA will be the main focus. SAML will be used if necessary.