InCommon Assurance Program
The InCommon Assurance Program is based on the tenet that good security and identity practices help ensure that an individual using an electronic credential is the person you think he or she is. For Service Providers in an identity federation, having Identity Provider Operators support a standard practice set (or profile) can mitigate the risk of service compromise. For Identity Providers it is a way to provide single sign-on access to applications requiring an increased level of confidence in a credential.
InCommon has two available profiles, Bronze and Silver, both approved by the US government's Identity Credential and Access Management program. The profiles are written by higher education for higher education, and are compatible with the US government's NIST Levels of Assurance 1 and 2.
The Incommon Assurance Advisory Committee (renamed in 2018 to the Community Trust and Assurance Board or CTAB) is also leading the community in developing a program of Baseline Expectations for Trust in Federation.
For complete information, see https://www.incommon.org/assurance/ .
Benefits of Assurance
- Increases Confidence; Reduces Risk — Service Providers, whether on- or off-campus, have increased confidence because standards-based identity practices ensure that their risk requirements are met.
- Getting Past Passwords — While many security experts deem passwords a thing of the past, we will continue to support them, even as we move to more secure methods. The Assurance profiles provide expert community guidance on managing your password-based infrastructures. Certification sends a message that you use a community standard that’s been approved by the U.S. government.
- It’s not NIST 800-63. It’s Higher Ed’s Version — InCommon’s profiles are written by higher education for higher education and account for the unique needs and broad diversity of our campuses. The profiles are also comparable to level of assurance 1 and 2 described in the NIST 800-63 Electronic Authentication Guideline [PDF], meaning they meet the U.S. government's standards, as well.
- Saves Time When Adding New Customers — Service Providers can rely on community-accepted standards in assessing Identity Provider systems, eliminating the burden of individual campus assessments. This will greatly reduce the time required to add new certified Identity Providers.
- Access to Higher-Value Services — Certified Identity Providers can provide federated access to financial and health-related applications, sensitive research information, and other services that require greater confidence in an identity.
- Protects Your Investment — InCommon is an approved Trust Framework Provider under the U.S. Identity, Credential, and Access Management Trust Framework Program. You’re one among many using this program.
For complete details, see assurance.incommon.org.
There is no cost for Service Providers to participate in the Assurance Program. There is also no charge for becoming certified at the Bronze level.
Fees for certification at the Silver level follow the same tiers as the InCommon participant fee schedule. The Assurance fee table includes a graduated ramp-up through 2015, acknowledging the value added by early adopters who will help create the program, improve processes, and create documentation for others to use.
These fees apply only to Identity Provider Operators wishing to be certified at the Silver level and above. There is no charge for Bronze.
Fees have been approved by the InCommon Steering Committee and are subject to change.
The InCommon Assurance Program is open to Identity Provider Operators from these types of organizations:
- Higher Education
- Research Organizations
- Not-for-profit Sponsored Partners (except those that offer consumer-oriented identity services)
Please email firstname.lastname@example.org if you have questions or need help determining eligibility.