This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.

Edit this page

8. Accept Federation Assertions

Three hexagons with the letters I in red, C in green, and A in blue, with a gray banner for the Attribute Exchange service in Federation.

Federal employees and contractors often need to access protected services managed by other federal agencies. Federation is the means by which an agency can accept authentication assertions and associated identity attributes from systems within their agency and at other agencies. This allows federal employees and contractors from across agencies access protected resources and streamlines the user’s experience.

Agencies can pass assertions to share attributes about employees and contractors.


Use Case

In this use case, an employee or contractor from Agency A attempts to access a federated service at Agency B. This use case assumes the employee or contractor already has an account or entitlements to access resources at Agency B, or that they will be provisioned.

For more information about granting access to protected resources, see Grant Access.

Icon Key for the diagrams that follow.

1. Request access to federated service
A diagram showing an employee or contractor from Agency A requesting access to a federated service at Agency B.
An Agency A employee or contractor requests access to a federated service at Agency B.

The employee or contractor selects the Agency A authentication service.
2. Redirect to Agency A for authentication
A diagram showing an employee or contractor access request is redirected from Agency B access control system to the Agency A authentication service.
The Agency B system redirects the employee or contractor to the Agency A authentication service.

Agency A authenticates the employee or contractor.
3. Perform transparent transaction
A diagram showing Agency A authentication service passing identity attributes to the Agency B access control system.
Agency A passes identity attributes and transaction data to Agency B via a signed assertion.
4. Agency B grants access
A diagram showing Agency B access control system granting access to an employee or contractor from Agency A.
Agency B consumes the assertion data, correlating it with an established account or local identity and makes an access control decision.

The Agency B system redirects the employee or contractor to the federated service.

Examples

  • I want to allow other federal agencies’ employees and contractors (who meet specific requirements) to access some of my agency’s resources, which facilitates cross-government collaboration and information sharing.
  • An employee or contractor from Agency A visits a shared service operated by Agency B to service all Federal government users. At the homepage, the employee/contractor selects their Agency A icon and is redirected to their Agency A SSO portal. They log in using their Agency A managed credentials and are redirected back to the Agency B shared service.

Next Steps

Authorize access to the protected resource.