Navigate

IA-13

IA-13: Identity Providers and Authorization Servers

Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with [identification and authentication policy is defined;] using [mechanisms supporting authentication and authorization decisions are defined;].

Supplemental

Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to IA-13.

Control	Description
AC-3	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
IA-2	Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-3	Uniquely identify and authenticate [devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;] before establishing a [one or more of "local"/"remote"/"network"] connection.
IA-8	Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
IA-9	Uniquely identify and authenticate [system services and applications to be uniquely identified and authenticated are defined;] before establishing communications with devices, users, or other services or applications.
IA-12	a: Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; b: Resolve user identities to a unique individual; and c: Collect, validate, and verify identity evidence.

Enhancements

The controls below (if any) add on to the requirements of IA-13.

Control	Description
IA-13(1)	Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.
IA-13(2)	The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.
IA-13(3)	In accordance with [identification and authentication policy is defined;], assertions and access tokens are: (a): generated; (b): issued; (c): refreshed; (d): revoked; (e): time-restricted; and (f): audience-restricted.

Related CCIs

The CCIs below are tied to IA-13.

CCI	Definition
CCI-005155	Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with organization-defined identification and authentication policy using organization-defined mechanisms.