This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Federation Assurance Level
Federation Assurance Level

Version management

Difference between version and

At line 1 added 30 lines
!!! Overview
[{$pagename}] ([FAL]) describes aspects of the [assertion] and [federation] [protocol] used in a given transaction.
[{$pagename}] is to provide a [Level Of Assurance] for a [federation]
[{$pagename}]s can be requested by an [Relying Party] or required by configuration of both [Relying Party] and [Identity Provider (IDP)] for a given transaction.
[{$pagename}] combines aspects of assertion protection and assertion presentation into an ordinal measurement scale applicable across different federation models. All assertions [SHALL] comply with the requirements in Section 5. While many other combinations of factors are possible, this list is intended to provide clear implementation recommendations representing increasingly secure deployment choices. Combinations of aspects not found in the FAL table are possible but outside the scope of this document.
This table presents different requirements depending on whether the assertion is presented through either the front channel or the back channel (via an assertion reference). Each successive level subsumes and fulfills all requirements of lower levels. Federations presented through a proxy SHALL be represented by the lowest level used during the proxied transaction.Table 7-1. Federation Assertion Levels
%%zebra-table
%%sortable
%%table-filter
||FAL||Requirement
|[FAL 1]|[Bearer] [Assertion], signed by [Identity Provider (IDP)].
|[FAL 2]|[Bearer] [Assertion], signed by [Identity Provider (IDP)] and [encrypted|Encryption] to [Relying Party].
|[FAL 3]|[Holder-of-Key] [Assertion], signed by [Identity Provider (IDP)] and [encrypted|Encryption] to [Relying Party].
/%
/%
/%
Regardless of what is requested or required by the [protocol], the [{$pagename}] in use is easily detected by the [Relying Party] by observing the nature of the assertion as it is presented as part of the [federation] protocol. Therefore, the [Relying Party] is responsible for determining which [{$pagename}]s it is willing to accept for a given [authentication] transaction and ensuring that the transaction meets the requirements of that [{$pagename}].
If the [Relying Party] is using a front-channel presentation mechanism (e.g., the [OpenID Connect] [Implicit Grant] Client profile or the [SAML] Web [SSO] profile), it [SHOULD] require [FAL 2] or greater in order to protect the information in the assertion from the [browser] or other parties in the transaction.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Federation Assurance Level (FAL)|https://pages.nist.gov/800-63-3/sp800-63c.html#fal|target='_blank'] - based on information obtained 2018-05-07-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop