Assurance for Service Providers
Information for Service Providers
The InCommon Assurance Program enables Service Providers to reduce their risk by requiring Identity Providers to adopt a set of standard identity and electronic credential practices that meet service risk requirements.
Am I eligible?
- To request InCommon Identity Assurance Qualifiers from a certified Identity Provider, a Service Provider must be an InCommon Participant.
What do I have to do?
- Determine which Identity Assurance Profile aligns with your risk assessment. For guidance with this step, you can use E-Authentication Guidance for Federal Agencies [PDF], which provides a process for determining whether your service warrants requesting 800-63 Level 1 (InCommon Bronze) or Level 2 (InCommon Silver). NIST levels 3 and 4 are not supported by InCommon at this time.
- Configure your SAML software to use SAML V2.0’s AuthnContext mechanism, check InCommon metadata for official Identity Assurance Qualifiers at runtime, and to handle errors in the event the IdP can not satisfy your assurance requirements. For more information, see Assurance Technical Implementation Considerations on the wiki.
- Notify InCommon of your intent to request Bronze or Silver Profiles, by sending your contact information to admin AT incommon.org. You will be added to an email list to keep you up to date on developments and changes in the Assurance Program.