-
Notifications
You must be signed in to change notification settings - Fork 12
Closed
Labels
Description
Section 3.7.1 of SP800-63C rev4 documents the requirements for account linking when a user has >1 federated identifier with an application (RP). In general, it is not expected that enterprise users will have >1 federated identifier. In those cases where more than one identifier is available, it likely represents the use of a personal account (e.g. shadow IT).
These requirements are captured in #71. Should IPSIE eliminate the requirements in this section for purposes of SL1?
chair hat off
I suggest that we explicitly ban account linking in SL1. JIT provisioning followed by establishing managerial control of the account through SCIM is functionally different than account linking and should be supported moving forward.
chair hat on