PR.AA-04.206
Has your organization implemented standards-based approaches for identity assertions across all contexts, including proper generation, protection, and verification methods?
Explanation
This question assesses whether your organization follows industry standards (such as SAML, OAuth, OpenID Connect) for creating, protecting, and verifying identity assertions. These standards ensure that when a user's identity is asserted across systems or applications, the information is properly formatted, digitally signed or encrypted to prevent tampering, and verified before access is granted. Evidence could include documentation of your identity management architecture showing which standards are implemented, configuration guides for identity providers and service providers, code samples showing proper implementation of digital signatures or encryption for assertions, and logs demonstrating proper validation of identity assertions in production systems.
Implementation Example
Implement standards-based approaches for identity assertions in all contexts, and follow all guidance for the generation (e.g., data models, metadata), protection (e.g., digital signing, encryption), and verification (e.g., signature validation) of identity assertions
ID: PR.AA-04.206
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Identity assertions are protected, conveyed, and verified
