Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

8. Accept Federation Assertions

Three hexagons with the letters I in red, C in green, and A in blue, with a gray banner for the Attribute Exchange service in Federation.

Federal employees and contractors often need to access protected services managed by other federal agencies. Federation is the means by which an agency can accept authentication assertions and associated identity attributes from systems within their agency and at other agencies. This allows federal employees and contractors from across agencies access protected resources and streamlines the user’s experience.

Agencies can pass assertions to share attributes about employees and contractors.


Use Case

In this use case, an employee or contractor from Agency A attempts to access a federated service at Agency B. This use case assumes the employee or contractor already has an account or entitlements to access resources at Agency B, or that they will be provisioned.

For more information about granting access to protected resources, see Grant Access.

Icon Key for the diagrams that follow.

1. Request access to federated service
A diagram showing an employee or contractor from Agency A requesting access to a federated service at Agency B.
An Agency A employee or contractor requests access to a federated service at Agency B.

The employee or contractor selects the Agency A authentication service.
2. Redirect to Agency A for authentication
A diagram showing an employee or contractor access request is redirected from Agency B access control system to the Agency A authentication service.
The Agency B system redirects the employee or contractor to the Agency A authentication service.

Agency A authenticates the employee or contractor.
3. Perform transparent transaction
A diagram showing Agency A authentication service passing identity attributes to the Agency B access control system.
Agency A passes identity attributes and transaction data to Agency B via a signed assertion.
4. Agency B grants access
A diagram showing Agency B access control system granting access to an employee or contractor from Agency A.
Agency B consumes the assertion data, optionally correlating it with an established account or local identity and makes an access control decision.

The Agency B system redirects the employee or contractor to the federated service.

Examples

  • I want to allow other federal agencies’ employees and contractors (who meet specific requirements) to access some of my agency’s resources, which facilitates cross-government collaboration and information sharing.
  • An employee or contractor from Agency A visits a shared service operated by Agency B to service all Federal government users. At the homepage, the employee/contractor selects their Agency A icon and is redirected to their Agency A SSO portal. They log in using their Agency A managed credentials and are redirected back to the Agency B shared service.