https://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63-3-federation-proxy-profile/1.0/NIST SP 800-63-3 Federation Proxy Profile1.0Profile of requirements that the operator of a Federation Proxy must satisfy to comply with the NIST Special Publication 800-63-3 series of documents.2019-04-05T00:00:00.000ZtrueThis artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.https://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/NIST800-63IdentityFederationProxyhttps://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63c-idp-profile/1.0/1NIST SP 800-63C IdP Profile1.0Profile of all requirements that an Identity Provider (IdP) must satisfy to comply with NIST Special Publication 800-63C, <i>Digital Identity Guidelines: Federation and Assertions</i>.https://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63c-federated-rp-profile/1.0/2NIST SP 800-63C Federated RP Profile1.0Profile of all requirements that a federated Relying Party (RP) must satisfy to comply with NIST Special Publication 800-63C, <i>Digital Identity Guidelines: Federation and Assertions</i>.https://artifacts.trustmarkinitiative.org/lib/tds/federation-assurance-level-assertion-limitation-for-federation-proxies/1.0/3Federation Assurance Level Assertion Limitation for Federation Proxies1.0The use of proxies within a federation must not incorrectly present the Federation Assurance Level (FAL) to any relying parties. All proxies must strictly advertise the lowest FAL that operate at as the only FAL they operate at for the purposes of considering the FAL for any transaction using the proxy.https://artifacts.trustmarkinitiative.org/lib/tds/nondisclosure-of-pairwise-pseudonymous-identifier-mappings/1.0/4Nondisclosure of Pairwise Pseudonymous Identifier Mappings1.0When a federation proxy maps a user identifier to a pseudonymous identifier for consumption within a federation that uses pseudonymous identifiers, the proxy must not divulge this mapping except where it is necessary for legal reasons or to the proxied user if he or she requests this information.NIST SP 800-63-3NIST Special Publication 800-63-3, Digital Identity Guidelines. June 2017. https://doi.org/10.6028/NIST.SP.800-63-3.NIST SP 800-63CNIST Special Publication 800-63C, Digital Identity Guidelines: Federation and Assertions. June 2017. https://doi.org/10.6028/NIST.SP.800-63c.NIST SP 800-63BNIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. June 2017. https://doi.org/10.6028/NIST.SP.800-63b.NIST SP 800-63ANIST Special Publication 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing Requirements. June 2017. https://doi.org/10.6028/NIST.SP.800-63a.AccessActive AttackAddress of RecordApplicantApproved CryptographyAssertionAssertion ReferenceAsymmetric KeysAttackAttackerAttributeAttribute BundleAttribute ReferenceAttribute ValueAuthenticateauthentication.]]>Authenticated Protected ChannelAuthenticationAuthentication Factorsomething you know, something you have, and something you are. Every authenticator has one or more authentication factors.]]>Authentication IntentAuthentication ProtocolAuthentication Protocol RunAuthentication Secretshort-term authentication secrets, which are only useful to an attacker for a limited period of time, and long-term authentication secrets, which allow an attacker to impersonate the subscriber until they are manually reset. The authenticator secret is the canonical example of a long-term authentication secret, while the authenticator output, if it is different from the authenticator secret, is usually a short-term authentication secret.]]>Authenticatortoken.]]>Authenticator Assurance LevelAALAuthenticator OutputAuthenticator SecretAuthenticator TypeAuthenticityAuthoritative SourceAuthorizeBack-Channel CommunicationBearer AssertionBindingBiometricsChallenge-Response ProtocolClaimantClaimed AddressClaimed IdentityCompletely Automated Public Turing test to tell Computers and Humans ApartCAPTCHACredentialCredential Service ProviderCSPCross-site Request ForgeryCSRFCross-site ScriptingXSSCryptographic AuthenticatorCryptographic Keyasymmetric keys, symmetric key.]]>Cryptographic ModuleData IntegrityDerived CredentialDigital AuthenticationElectronic Authentication.]]>Digital SignatureDiversionaryEavesdropping AttackElectronic AuthenticationE-Authenticationdigital authentication.]]>EnrollmentEntropyn bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.]]>Federal Information Processing StandardFIPSFederationFederation Assurance LevelFALFederation ProxyFront-Channel CommunicationHash FunctionIdentityIdentity Assurance LevelIALIdentity EvidenceIdentity ProofingIdentity ProviderIdPIssuing SourceKerberosKnowledge-Based VerificationKBVMan-in-the-Middle AttackMitMMitMAMemorized Secretsomething they know as part of an authentication process.]]>Message Authentication CodeMACMobile CodeMulti-Factorauthentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticationMFAauthentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticatorNetworkNonceOffline AttackOnline AttackOnline Guessing AttackPairwise Pseudonymous IdentifierPassive AttackPassphrasePasswordmemorized secret.]]>Personal Datapersonally identifiable information.]]>Personal Identification NumberPINPersonal Informationpersonally identifiable information.]]>Personally Identifiable InformationPIIPharmingPhishingPossession and Control of an AuthenticatorPractice StatementPresentation AttackPresentation Attack DetectionPADliveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.]]>Private CredentialsPrivate KeyProtected Sessionauthenticated if, during the session, they prove possession of one or more authenticators in addition to the session keys, and if the other party can verify the identity associated with the authenticator(s). If both participants are authenticated, the protected session is said to be mutually authenticated.]]>PseudonymPseudonymityPseudonymous IdentifierPublic CredentialsPublic KeyPublic Key CertificatePublic Key InfrastructurePKIReauthenticationRegistrationenrollment.]]>Relying PartyRPRemoteIn the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.]]>Replay AttackReplay ResistanceRestrictedRisk AssessmentRisk ManagementSaltSecure Sockets LayerSSLTransport Layer Security (TLS).]]>SessionSession Hijack AttackShared SecretSide-Channel AttackSingle-FactorSocial EngineeringSpecial PublicationSPSubjectSubscriberSymmetric KeyTokenauthenticator.]]>Token Authenticatorauthenticator output.]]>Token Secretauthenticator secret.]]>TransactionTransport Layer SecurityTLSTrust AnchorUsabilityVerifierVerifier ImpersonationVirtual In-Person ProofingWeakly Bound CredentialsZero-Knowledge Password ProtocolZeroize