Home | About InCommon | Join InCommon

Assurance for Service Providers

Why Assurance?

The InCommon Assurance Program enables Service Providers to reduce their risk by requiring Identity Providers to adopt a set of standard identity and electronic credential practices that meet service risk requirements.

 

Framework and Profiles

InCommon offers two profiles, Bronze and Silver, comparable to NIST 800-63 Level of Assurance 1 and 2, respectively.

• The Identity Assurance Assessment Framework for an overall description of the program
• The Identity Assurance Profiles provide information about Identity Provider requirements.

For information about the specifics of the Certification Program, see the InCommon Federation Operating Policies and Practices.

Am I eligible? What does it cost?

• A Service Provider must be an InCommon Participant.
• There are no fees for Service Providers at this time.

What do I have to do?

1. Determine which Identity Assurance Profile aligns with your risk assessment. For guidance with this step, you can use E-Authentication Guidance for Federal Agencies [PDF], which provides a process for determining whether your service warrants requesting 800-63 Level 1 (InCommon Bronze) or Level 2 (InCommon Silver). NIST levels 3 and 4 are not supported by InCommon at this time.
2. Configure your SAML software to use SAML V2.0’s AuthnContext mechanism, check InCommon Metadata for official Identity Assurance Qualifiers at runtime, and to handle errors in the event the IdP can not satisfy your assurance requirements. For more information, see Assurance Technical Implementation Considerations on the wiki.
3. Notify InCommon of your intent to request Bronze or Silver Profiles, by sending your contact information to admin AT incommon.org. You will be added to an email list to keep you up to date on developments and changes in the Assurance Program.