NIEF Employer ORI Attribute, v1.0

Specifies requirements for Identity Provider Organizations (IDPOs) that wish to assert Employer Originating Agency Identifier (ORI) codes on behalf of their users. Note that all ORI codes asserted by IDPOs in association with trustmarks issued under this TD should be approved by the Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division.

Assessment Steps (2)

Usage (Usage)
Does the organization correctly assert the ORI attribute in accordance with the established attribute format rules for the Federated ICAM protocol(s) and conformance or interoperability profile(s) that it uses? Also, does the organization appear to assert attribute values correctly for this attribute?
Provide a sample of a technical protocol assertion (e.g., JSON, XML, SAML, OIDC, etc.) correctly using this attribute.
Provenance (Provenance)
Has the organization provided all ORI codes it will assert for this attribute, and have all codes been validated?
ORI Code List
A list of all ORI codes the IDPO will assert for their users. This may be a single organizational ORI code, but many IDPOs support users from numerous Law Enforcement Agencies. In this case the IDP should provide a list of all supported agency ORIs and the assessor should validate that list.

Conformance Criteria (1)

Attribute Validity
When asserting an Employer Originating Agency Identifier (ORI) on behalf of a user, an IDPO or APO shall assert the attribute name correctly, as stipulated in the attribute definition at In addition, an IDPO or APO shall assert ORI attribute values in a manner that: (1) conforms to FBI CJIS ORI attribute value format requirements, and (2) faithfully and accurately conveys the latest Employer ORI information currently known by the IDPO or APO about the user.