FICAM TFS Component Identity Services Terminology

As part of a recent update, the concept of component identity services was incorporated into the FICAM Trust Framework Solutions (TFS). The component identity service model “separates the functions of authentication and attribute providers”.

This blog post was originally published on the FICAM IDMGOV Info Blog on December 21, 2013. That blog was shut down by GSA after the elimination of the FICAM TFS Program which resulted in the program content disappearing from the InterWebs. So I am re-publishing it here on my personal blog to ensure the continued existence of a historical record.

This is supported by an industry trend whereby these functions are now offered by separate service providers. This trend has been driven by the fact that:

• Vendors have focused their offerings according to their core strengths, which leads to improved quality of service for agency Relying Parties.
• Some identity solution architectures require or desire the use of separated services, which offers agency Relying Parties a greater quantity of service choice and increased flexibility in selecting only those services that are needed from an external provider.

The model, shown below, utilizes the following OMB and NIST terminology:

• Token: Something that an individual possesses and controls that is used to authenticate the individual
  • Tokens are possessed by an individual and controlled through one or more of the traditional authentication factors (something you know, have, or are)
• Identity: A set of attributes that uniquely describe an individual within a given context
• Credential: An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual

NOTE: The above model is based on assurance and identity concepts that have been discussed in multiple jurisdictions and communities. In particular, the FICAM TFS Program would like to acknowledge the contributions of the Canada TBS and the Kantara IAWG.

The value of the model lies in the flexibility possible in combining the various functions as part of an industry service offering.

Within the framework of the FICAM TFS Program, the following three combinations are recognized:

A Credential Service Provider, which offers:

• Token Management Services
• Authentication Services
• Identity Proofing Services
• Attribute Validation Services

A Token Manager, which offers:

• Token Management Services
• Authentication Services

An Identity Manager, which offers:

• Identity Proofing Services
• Attribute Validation Services

It should be noted that in all three cases, consent services are implementation specific and driven by policy.

The FICAM TFS Program recognizes that, especially in the private sector, identity service functions may be conducted by separate and independent entities that have relationships based on contracts as well as laws and regulations. As such, it supports a flexible conceptual model that brings together token managers, identity managers and credential service providers.

:- by Anil John

Related Information

• FICAM Trust Framework Solutions (TFS) Overview (PDF)
• FICAM TFS Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance (PDF)
• FICAM TFS Relying Party Guidance for Accepting Externally-Issued Credentials (PDF)
• FICAM TFS Identity Scheme and Protocol Profile Adoption Process (PDF)
• FICAM TFS Authority to Offer Services (ATOS) for FICAM TFS Approved Identity Services (PDF)