InCommon is operated by Internet2


About            Participants            Join InCommon


Becoming Certified

Community Trust and Assurance Board

Program Components


Assurance for Identity Providers

Assurance for Service Providers

Assurance Glossary

Federation Home Page

The InCommon Assurance Program

InCommon Assurance ProgramGood security and identity practices help ensure that individuals using an electronic credential are who they say they are. The InCommon Identity Assurance Program certifies qualifying Identity Provider Operators at campuses, research organizations, and non-profit organizations that support InCommon requirements for consistent management of digital identities.

Assurance Resources

Who is certified? See our list of Identity Providers certified for Bronze and Silver

Assurance Addendum to the InCommon Participation Agreement

Identity Assurance Assessment Framework (IAAF)

Identity Assurance Profiles (IAP)

Identity Provider Operators can use these assurance standards to benchmark their Identity and Access Management processes, as well as to provide an increased level of confidence to their Service Provider partners.

InCommon offers two assurance profiles:

  • Bronze, with a security level that slightly exceeds the confidence associated with a common Internet identity
  • Silver, with a security level appropriate for financial transactions


For Service Providers - Service Providers reduce risk when Identity Providers adopt a set of standard identity and electronic credential practices that meet the service risk requirements. Higher-risk applications (such as those involving financial or medical data) require a greater level of trust of the Identity Provider’s authentication and identity management system.

For Identity Providers - Supporting assurance profiles is a way to benchmark campus IAM operations and provide single sign-on access to applications requiring an increased level of trust and identity vetting.

How Does it Work?

The InCommon community has developed and published the Bronze and Silver profiles, which define the specific criteria an Identity Provider must meet to become certified. An Identity Provider incorporates these criteria into its identity and access management system.

In the case of Bronze, the Identity Provider can either conduct an audit to prove compliance with the profile or can simply sign a statement (self-assert) that it meets the criteria.

Silver requires an audit, which can typically be done by an internal auditor not directly associated with the IT operation.

Who is Certified?

InCommon maintains a list of Identity Providers certified for Bronze and Silver.

Available Profiles

InCommon Bronze badge

Bronze, comparable to NIST Level of Assurance 1, provides reasonable assurance that a particular credential represents the same person each time it is used. Bronze is roughly the same confidence associated with common Internet identity.

InCommon Silver badge

Silver, equivalent to NIST Level of Assurance 2, has identity-proofing requirements that provide reasonable assurance of individual identity. Silver provides a security level roughly appropriate for basic financial transactions.

Need Detailed Information?

We recommend starting with the Program Components page to delve into the details.


Copyright 2004-2019 InCommon LLC. All rights reserved. InCommon is operated by Internet2.