FAL2 Compliance - Account Linking

[dhs-BI]

Section 3.7.1 of SP800-63C rev4 documents the requirements for account linking when a user has >1 federated identifier with an application (RP). In general, it is not expected that enterprise users will have >1 federated identifier. In those cases where more than one identifier is available, it likely represents the use of a personal account (e.g. shadow IT).

These requirements are captured in #71. Should IPSIE eliminate the requirements in this section for purposes of SL1?

chair hat off
I suggest that we explicitly ban account linking in SL1. JIT provisioning followed by establishing managerial control of the account through SCIM is functionally different than account linking and should be supported moving forward.
chair hat on

[sbroddy]

There are common and legitimate use cases in R&E that do not involve personal accounts. I can also think of at least several legitimate use cases outside of R&E. Outright banning account linking would preclude those use cases being solved using already common methods (at least in R&E).

[dhs-BI]

@sbroddy can you describe the use cases to me? I'm concerned about enabling uncontrolled access, but I need to understand more about the specific use cases to figure out how to write guidance.

[sbroddy]

Not sure why account linking is being equated to uncontrolled access. Supporting one need not necessarily imply the other.

As for use cases, there are many. But I'll try to summarize at least one scenario as: Any use case where access/rights/permissions/ownership of the resource at the RP should follow the person rather than the account identifier as that user moves across affiliations/domains/scopes whether that be intra- or inter-organization/enterprise, and the account identifiers change either serially or multiple identifiers are available to the user simultaneously due to multiple affiliations.

[dhs-BI]

Interesting use case, @sbroddy. Could this also apply to a merger/acquisition scenario?

[deansaxe]

Tagging this for inclusion in the sidecar doc for SL1. @sbroddy I'd appreciate more of your thoughts on how this works in real world deployments.

[deansaxe]

I have published a draft to address this issue. Please see https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html.