The InCommon Assurance Program
Good security and identity practices help ensure that individuals using an electronic credential are who they say they are. The InCommon Identity Assurance Program certifies qualifying Identity Provider Operators at campuses, research organizations, and non-profit organizations that support InCommon requirements for consistent management of digital identities.
Identity Provider Operators can use these assurance standards to benchmark their Identity and Access Management processes, as well as to provide an increased level of confidence to their Service Provider partners.
InCommon offers two assurance profiles:
- Bronze, with a security level that slightly exceeds the confidence associated with a common Internet identity
- Silver, with a security level appropriate for financial transactions
For Service Providers - Service Providers reduce risk when Identity Providers adopt a set of standard identity and electronic credential practices that meet the service risk requirements. Higher-risk applications (such as those involving financial or medical data) require a greater level of trust of the Identity Provider’s authentication and identity management system.
For Identity Providers - Supporting assurance profiles is a way to benchmark campus IAM operations and provide single sign-on access to applications requiring an increased level of trust and identity vetting.
How Does it Work?
The InCommon community has developed and published the Bronze and Silver profiles, which define the specific criteria an Identity Provider must meet to become certified. An Identity Provider incorporates these criteria into its identity and access management system.
In the case of Bronze, the Identity Provider can either conduct an audit to prove compliance with the profile or can simply sign a statement (self-assert) that it meets the criteria.
Silver requires an audit, which can typically be done by an internal auditor not directly associated with the IT operation.
Who is Certified?
InCommon maintains a list of Identity Providers certified for Bronze and Silver.
Bronze, comparable to NIST Level of Assurance 1, provides reasonable assurance that a particular credential represents the same person each time it is used. Bronze is roughly the same confidence associated with common Internet identity.
Silver, equivalent to NIST Level of Assurance 2, has identity-proofing requirements that provide reasonable assurance of individual identity. Silver provides a security level roughly appropriate for basic financial transactions.
Need Detailed Information?
We recommend starting with the Program Components page to delve into the details.