The document discusses standards for identity federation and assertions. It defines four levels of federation assurance (FAL) based on the type of assertion used and how it is presented. FAL1 uses front-channel or back-channel bearer assertions signed by the identity provider. FAL2 adds encryption of assertions to the relying party. FAL3 encrypts assertions to the relying party for both front and back-channel. FAL4 uses holder-of-key assertions, where the assertion contains a public key and proof of possession, signed and encrypted to the relying party. The document provides definitions and discusses security considerations for federation and assertions.

1. SP 800-63C
- Federation and Assertions -
Nov Matake

2. 800-63-3 Federation
800-63-2

3. Federation Assurance Level
(FAL)
• ...
• Assertion
• (ID Token etc.)
• Artifact (a.k.a. Handle / Assertion Reference)
• Assertion (Authorization Code etc.)
• Front-channel Presentation
• Assertion User Agent Assertion (Implicit Flow
etc.)
• Back-channel Presentation
• User Agent Artifact Assertion (Code Flow etc.)

4. Federation Assurance Level
(FAL)
• Federation Assurance Level
• Federation Assertion / Artifact
• Lv.1
• Front-channel / Back-channel Assertion
• Lv.2
• Lv1 Front-channel Assertion
• Lv.3
• Lv.2 Back-channel Assertion
• Lv.4
• Lv.3 Holder-of-Key Assertion (Proof-of-Posession)

5. Front-channel Presentation
Credential Service Provider
(a.k.a. IdP)
Relying Party
(a.k.a. End-User)

6. Back-channel Presentation

7. Holder-of-Key Assertion
• Subscriber (End-User)
• RP Assertion Subscriber
(Proof-of-Posession)
• Assertion Subscriber Assertion Subject (=
Holder-of-Key)
• Holder-of-Key Assertion “ ” Assertion Bearer Assertion
• Assertion Subscriber Assertion Subject
Assertion Assertion

8. Holder-of-Key Assertion
Key Pair
Public Key Reference
+
+
Proof of Possession

9. Holder-of-Key Assertion
Key Pair
+ Public Key Reference
+
Proof of Possession

10. ?OIDC / OAuth Implicit / Code Flow
Authorization Response Proof-of-Possession

11. ?RFC 7800
Holder-of-Key = Presenter = OAuth Client
RFC 7800 : Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
https://tools.ietf.org/html/rfc7800

12. Federation Assurance Levels
FAL Back-channel Presentation Front-channel Presentation
1
• Bearer assertion
• Signed by IdP
• Bearer assertion
• Signed by IdP
2
• Bearer assertion
• Signed by IdP
• Bearer assertion
• Signed by IdP
• Encrypted to RP
3
• Bearer assertion
• Signed by IdP
• Encrypted to RP
• Bearer assertion
• Signed by IdP
• Encrypted to RP
4
• Holder-of-Key assertion
• Signed by IdP
• Encrypted to RP
• Holder-of-Key assertion
• Signed by IdP
• Encrypted to RP

13. FAL
Federation

14. 1. Purpose
2. Introduction
3. Definitions and Abbreviations
4. Federation
5. Assertions
6. Assertion Presentation
7. Federation Assurance Levels
8. Security
9. Privacy Requirements and Considerations
10. Usability
11. Assertion Examples
12. References

15. 4 Federation
• 4 Federation Model
• Central Authority
• Manual Registration
• Dynamic Registration
• Proxied Federation
• IdP Subscriber Profiling

16. 5. Assertion
• Possession Category (800-63-2 )
• Holder-of-Key Assertion
• Bearer Assertion
• Protection Category
• Assertion Identifier
• Signed Assertion
• Encrypted Assertion
• Audience Restriction
• Pairwise Pseudonymous Identifier (PPID)

17. 8. Security
• (Non-normative)
• Assertion manufacture/modification
• Assertion disclosure
• Assertion repudiation by the IdP
• Assertion repudiation by the subscriber
• Assertion redirect
• Assertion reuse
• Secondary authenticator manufacture
• Secondary authenticator capture
• Assertion substitution
• 800-63-2 LoA

19. Discussion