The InCommon Assurance Program
Good security and identity practices help ensure that an individual using an electronic credential is the person you think it is. For Service Providers in an identity federation, having Identity Provider Operators support a standard practice set (or profile) can mitigate the risk of service compromise. For Identity Providers it is a way to provide single sign-on access to applications requiring an increased level of confidence in a credential.
Benefits for You
- Campus IAM Benchmark — Demonstrate value and confidence to campus stakeholders and service providers by comparing campus IAM operations with Bronze or Silver.
- Process for evolving our profiles — When the community approves alternative means that meet or exceed the assurance criteria, those alternatives become part of the spec and, thus, useable by others.
- Simplified Bronze — Just sign the agreement and go. No audit required.
- U.S. government-approved flexibility — You now have the flexibility to propose alternative approaches for meeting the assurance criteria, with community authority for approval (via the Assurance Advisory Committee).
Assurance Addendum to the InCommon Participation Agreement
Identity Assurance Assessment Framework (IAAF)
Identity Assurance Profiles (IAP)
Virginia Tech has shared its implementation story. Consider joining Virginia Tech on the U.S. government approved identity providers page.
Benefits of Assurance
Increases Confidence; Reduces Risk — Service Provider and stakeholders, whether on- or off-campus, have increased confidence because standards-based identity practices ensure that their risk requirements are met.
Getting Past Passwords — While many security experts deem passwords a thing of the past, we will continue to support them, even as we move to more secure methods. The Assurance profiles provide expert community guidance on managing your password-based infrastructures. Certification sends a message that you use a community standard that’s been approved by the U.S. government.
It’s not NIST 800-63. It’s Higher Ed’s Version — InCommon’s profiles are written by higher education for higher education and account for the unique needs and broad diversity of our campuses. The profiles are also comparable to level of assurance 1 and 2 described in the NIST 800-63 Electronic Authentication Guideline [PDF], meaning they meet the U.S. government's standards, as well.
Saves Time When Adding New Customers — Service Providers can rely on community-accepted standards in assessing Identity Provider systems, eliminating the burden of individual campus assessments. This will greatly reduce the time required to add new certified Identity Providers.
Access to Higher-Value Services — Certified Identity Providers can provide federated access to financial and health-related applications, sensitive research information, and other services that require greater confidence in an identity.
Protects Your Investment — InCommon is an approved Trust Framework Provider under the U.S. Identity, Credential, and Access Management Trust Framework Program. You’re one among many using this program.
Bronze, comparable to NIST Level of Assurance 1, provides reasonable assurance that a particular credential represents the same person each time it is used. Bronze is roughly the same confidence associated with common Internet identity.
Silver, equivalent to NIST Level of Assurance 2, has identity-proofing requirements that provide reasonable assurance of individual identity. Silver provides a security level roughly appropriate for basic financial transactions.
Need Detailed Information?
We recommend starting with the Program Components page to delve into the details.