< BACK

Approval Profile for an Identity Provider – tSd0112

Summary

This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of an Identity Provider (IdP) Service.

Scope

The criteria given in this Approval Profile are related to the overall provision and life-cycle management of an Identity Credential (other than a PKI certificate, which is covered in the Approval Profile for a Certification Authority). Life-cycle management provides for the registration and verification of the particular identity attributes of the subject; initial creation and personalisation of credentials and/or tokens (as appropriate); the secure distribution of credentials/tokens, the maintenance of credential status; the potential for adding additional, verified attributes and the provision of suspension/revocation processes.

Some of these functions could be offered as stand-alone Services so, to avoid repetition of the related criteria, they have been removed from this Approval Profile and placed in appropriate service-specific Approval Profiles. Nevertheless they are still part of the provision of an Identity Provider Service. The Services that together make up the full Identity Provider Service, whether operated directly by the organisation offering the Identity Provider Service or whether outsourced to various other third parties, are required to fulfil the criteria defined in the following further Approval Profiles:

  • Identity Registration
  • {Attribute Registration}
  • Credential Validation
  • Credential Management
  • {Token Issuance}

Some of these Services are regarded as being mandatory parts of an Identity Provider Service and the implied requirements of any text are mandatory, the other Services, referred to within ‘curly’ brackets, { …thus… }, are optional and the Identity Provider must make clear whether or not they are intending to be assessed against them.

The Identity Provider has responsibility for ensuring conformance with the procedures prescribed in the applicable Service Policy even when constituent part-Services are outsourced to third parties. This requires the inclusion in its Service Policy Disclosure Statement of relevant practices undertaken by all parties contributing to the overall Service provision. The Identity Provider may demonstrate directly the conformance to the appropriate Approval Profiles of the constituent Services or they may refer to prior tScheme Approvals awarded to those Services, where they remain current.

Issue 1.00

The full Profile is available as a PDF document free of charge for non-commercial use. To track access, you must register (free of charge) – this entitles you to access the restricted Approvals Profiles page. To register for access to the Profiles please click here. Already registered? Login, then access the files here.

< BACK

Why tScheme approval?

It’s the mark which says your service meets the highest standards of trust.

MORE >

Using the tScheme mark

The tScheme mark lets users know that your service offers the highest levels of trust.

MORE >

Getting tScheme approval

Approval usually takes at least three months, but it can be quicker.

MORE >