Federation - Authorization of RPs via Runtime Decision by an Authorized Party, v1.0

Identity Providers may allow authorized parties (usually a subscriber) to establish trust with an RP of their choosing at runtime.

Assessment Step

Greylist RPs (GreylistRPs)
Does the IdP allow authorized parties (typically subscribers) to choose to trust RPs at runtime safely from a list of RPs that are not blacklisted or whitelisted?
Provide evidence (e.g. policies, compliance/assessment reports) that use of dynamically trusted IdPs is handled correctly.

Conformance Criteria (1)

  • Every RP that is not on a whitelist or a blacklist SHALL be placed by default in a gray area where runtime authorization decisions will be made by an authorized party, usually the subscriber.
  • The IdP MAY remember a subscriber's decision to authorize a given RP, provided that the IdP SHALL allow the subscriber to revoke such remembered access at a future time.
NIST SP 800-63C
Section 4.2, Paragraph 2