Federation - Authorization of RPs via Whitelist, v1.0

Identity Providers may establish a set of trusted RPs via a whitelist as long as the trusted RPs adhere to defined federation requirements.

Assessment Step

Whitelist RPs (WhitelistRPs)
Does the IdP utilize a whitelist of RPs, while having some assurances that any RP on the whitelist is eligible to be there? An example of a white listed model is one where a federation operator approves RPs and the IdP selects who from the approved list to trust locally.
Provide evidence (e.g. policies, compliance/assessment reports) that use of white listed RPs is handled correctly.

Conformance Criteria (1)

  • IdPs MAY establish whitelists of RPs that the IdP will send authentication and attributes from without a runtime decision from the subscriber.
  • All RPs in an IdP's whitelist SHALL abide by the provisions and requirements in the 800-63 suite.
  • The whitelist MUST identify authorized RPs by a domain or other sufficiently unique identifier, depending on the federation protocol in use.
  • IdPs SHALL make whitelists available to subscribers in easy to understand manner as described in 800-63
NIST SP 800-63C
Section 4.2, Paragraph 2