Federation - Authorization of RPs via Blacklist, v1.0

Identity Providers may establish a set of RPs via a blacklist with whom they do not interoperate.

Assessment Step

Blacklist RPs (BlacklistRPs)
Does the IdP utilize a blacklist of RPs that subscribers may not utilize even if requested by the subscriber?
Provide evidence (e.g. policies, compliance/assessment reports) that use of black listed RPs is handled correctly.

Conformance Criteria (1)

  • IdPs MAY also establish blacklists of RPs that the IdP will not transmit authentication or attributes to, even when requested by the subscriber.
  • The blacklist MUST identify prohibited RPs by a domain or other sufficiently unique identifier, depending on the federation protocol in use.
NIST SP 800-63C
Section 4.2, Paragraph 2