NIEF Assurance Level Attribute, v1.0
Specifies requirements for Identity Provider Organizations (IDPOs) that wish to assert National Identity Exchange Federation (NIEF) Federated ICAM assurance level attributes - specifically, Authenticator Assurance Level (AAL), Identity Assurance Level (IAL), and Federation Assurance Level (FAL) - on behalf of their users. Can also be used with other legacy NIEF assurance level attributes that pre-date the establishment of the current NIEF AAL, IAL, and FAL attributes.
Assessment Steps (2)
Does the organization correctly assert this assurance level attribute in accordance with the established attribute format rules for the Federated ICAM protocol(s) and conformance or interoperability profile(s) that it uses? Also, does the organization appear to assert attribute values correctly for this attribute?
Provide a sample of a technical protocol assertion (e.g., JSON, XML, SAML, OIDC, etc.) correctly using this attribute. Also provide additional description or screenshots or artifacts that verify the correctness of the value(s) asserted.
ENUM_MULTI : Select the attributes that this CSP/IDP asserts for their users.
Has the organization demonstrated sufficient policies and/or procedures to be able to assert this attribute?
Provide polices or procedural documentation and/or screenshots to validate the organizations use of this assurance level. May also include links or references to earned 800-63-3 or 800-63-2 Trustmarks.
Conformance Criteria (1)
When asserting a Federated ICAM assurance level attribute on behalf of a user, an IDPO or APO shall assert the attribute name correctly, in accordance with the appropriate attribute definition. In addition, an IDPO or APO shall assert attribute values for the attribute in a manner that: (1) conforms to the attribute value format requirements stipulated in the appropriate attribute definition, and (2) faithfully and accurately conveys the latest information currently known by the IDPO or APO about the user's actual assurance level for the attribute, based on the IDPO's or APO's organizational policies and procedures and the user's current authentication event. In addition, the IDPO or APO should seek to earn additional trustmarks, as appropriate, based on the local policies and procedures used to earn this trustmark.