Federated identity transactions allow for a more secure and more usable internet by allowing subscribers to have a smaller number of accounts that can be used across many sites and applications, without using the same authenticator at multiple sites or applications. There are several major protocols that enable federation transactions, and a multitude of software packages and libraries that implement them. This document outlines what to look for in software that enables federation and how to apply best practices to that software to meet the requirements in SP 800-63C.
This document is intended to provide more direct technology discussion than SP 800-63C, which was written to be intentionally technology-agnostic. While this choice makes the SP 800-63 guidelines applicable across a wide array of technologies and circumstances, the abstract nature can make it difficult for implementers to understand what was intended by the document with regard to specific protocols or products. This guide is intended to provide more concrete information for implementors of these systems.
This document contains no normative requirements.
Note: These resources use the term IdP in a manner consistent with the use of the terms in SP 800-63C. Specifically, the IdP role is fulfilled by the CSP, and the RP is the receiver of the federated assertion.