Overview#Federation Assurance Level (FAL) describes aspects of the assertion and federation protocol used in a given transaction.
Federation Assurance Level combines aspects of assertion protection and assertion presentation into an ordinal measurement scale applicable across different federation models. All assertions SHALL comply with the requirements in Section 5. While many other combinations of factors are possible, this list is intended to provide clear implementation recommendations representing increasingly secure deployment choices. Combinations of aspects not found in the FAL table are possible but outside the scope of this document.
This table presents different requirements depending on whether the assertion is presented through either the front channel or the back channel (via an assertion reference). Each successive level subsumes and fulfills all requirements of lower levels. Federations presented through a proxy SHALL be represented by the lowest level used during the proxied transaction.
Table 7-1. Federation Assertion Levels
Regardless of what is requested or required by the protocol, the Federation Assurance Level in use is easily detected by the Relying Party by observing the nature of the assertion as it is presented as part of the federation protocol. Therefore, the Relying Party is responsible for determining which Federation Assurance Levels it is willing to accept for a given authentication transaction and ensuring that the transaction meets the requirements of that Federation Assurance Level.
If the Relying Party is using a front-channel presentation mechanism (e.g., the OpenID Connect Implicit Grant Client profile or the SAML Web SSO profile), it SHOULD require FAL 2 or greater in order to protect the information in the assertion from the browser or other parties in the transaction.