Unifying the Digital Identity Fabric: Enterprise PKI and IdP as Zero Trust Pillars (Activity 1.9.1 “Enterprise PKI/IDP Part 1”) 

We’ve been building a robust Zero Trust architecture from the ground up, focusing on individual organizational capabilities like user inventory, authentication, dynamic access, PAM, and lifecycle management. Now, for large, distributed environments like the DoD and other federal agencies, it’s time to knit these capabilities together into a cohesive, enterprise-wide fabric. This is the critical undertaking of Zero Trust Activity 1.9.1 Enterprise PKI/IDP Pt1. 

This activity signifies a major leap towards a unified identity posture by mandating the implementation of Enterprise Public Key Infrastructure (PKI) and an Enterprise Identity Provider (IdP) platform.  

The vision is for a centralized or federated PKI built on a trusted Enterprise-level Root Certificate Authority (CA), with Component PKI CAs integrating into this hierarchy. Simultaneously, an Enterprise IdP platform is established – either as a single solution or a federated network of Component IdPs – providing a standard level of access and a standardized set of attributes across the enterprise, with Component IdPs integrating into this platform. 

This is a strategic move to create a common, trusted identity layer across the entire organization. The outcomes reflect this broad scope: 

1. Enterprise PE & NPE CONOPS, taxonomy, and naming standards are developed. 

2. Components Certificate Authorities (CA) are integrated with the DoD PKI Hierarchy. 

3. Enterprise level requirements are implemented, including mandated user attributes for a validated and verified Enterprise Identity Provider (IdP) Platform. 

4. Enterprise wide IdP platform is implemented through a single solution or integration of multiple solutions. 

The ultimate End State envisioned is powerful: All PEs (Person Entities) and NPEs (Non-Person Entities) are issued a validated and verified digital identity that can be tracked at the Enterprise level using the strongest authentication available. This unified identity, backed by strong PKI and managed by a central IdP, becomes the bedrock for enforcing Zero Trust policies across the entire enterprise. 

Solutions and Key Considerations for Achieving Enterprise PKI/IDP Pt1 

Implementing Activity 1.9.1 requires a high degree of coordination, standardization, and technical integration across the enterprise: 

Establishing Enterprise PKI: 

• Define Enterprise Root CA Hierarchy: Design and implement a robust, secure, and highly available Enterprise Root CA and subordinate CA hierarchy. This is the trust anchor for all certificates issued within the enterprise. 

• Integrate Component CAs: Develop and execute a plan to technically integrate existing Component PKI CAs with the new Enterprise PKI hierarchy. This involves cross-certification or issuing certificates from the Enterprise CA to the Component CAs. 

• Standardize Certificate Profiles: Define enterprise-wide standards for certificate profiles, key usage, and lifecycle management. 

Implementing the Enterprise IdP Platform: 

• Choose a Platform Model: Decide whether to implement a single, centralized IdP solution for the entire enterprise or to build a federated model connecting existing Component IdPs. The decision will depend on the enterprise’s size, complexity, and existing infrastructure. 

• Implement the Chosen Platform: Deploy the selected Enterprise IdP solution (or configure the federation infrastructure). This platform will be responsible for managing enterprise-level identities, attributes, and potentially acting as the central authentication authority or coordinating authentication across federated domains. 

• Integrate Component IdPs: If a federated model is chosen, establish trust relationships and configure technical integrations between the Enterprise IdP platform and existing Component IdPs. This typically involves using standards like SAML or OIDC for inter-IdP communication. 

Developing Enterprise Identity Standards: 

• Define CONOPS, Taxonomy, and Naming Standards: This is a critical governance activity. Develop enterprise-wide Concepts of Operations (CONOPS) for identity management, a standardized taxonomy for identity types (PE, NPE, device, service), and consistent naming conventions for identities, groups, and attributes. 

• Mandate User Attributes: Define the set of mandated user attributes that will be considered authoritative at the enterprise level and required within the Enterprise IdP platform for all identities. These attributes will be crucial for enterprise-wide authorization policies. 

Integrating Component IdPs with the Enterprise IdP (Technical): 

Beyond establishing trust, configure the technical flows for identity synchronization (where applicable) and authentication routing between Component IdPs and the Enterprise IdP platform. This ensures a consistent authentication experience and the availability of standardized attributes across the enterprise. 

Key Considerations: 

• Governance and Standardization: This activity heavily relies on strong central governance to define and enforce standards across potentially autonomous organizational components. 

• Interoperability: Ensuring seamless communication and trust between different PKI and IdP implementations from various vendors across the enterprise is a significant technical challenge. 

• Data Synchronization and Consistency: Maintaining consistent identity data and attributes across federated or synchronized directories can be complex. 

• Migration Strategy: Developing a phased approach to migrating components and applications to utilize the new Enterprise PKI and IdP is crucial for minimizing disruption. 

• Integration Complexity: Integrating legacy Component PKIs and IdPs with new enterprise platforms can be technically challenging and may require custom development or specialized connectors. 

Pillar: User 

Capability: 1.9 Integrated ICAM Platform 

Activity: 1.9.1 Enterprise PKI/IDP Part 1 

Phase: Target Level  

Predecessor(s): None 

Successor(s): 1.9.2 Enterprise PKI/IdP Part 2