From 5e5972ac594c24d8fad7208ae80827c41262315f Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Thu, 5 Feb 2026 10:33:14 -0800 Subject: [PATCH 1/5] Revise SL2 requirements for session handling Updated SL2 requirements to include re-authentication and session termination commands from the Identity Service as discussed on the Feb 3 call. --- ipsie-levels.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ipsie-levels.md b/ipsie-levels.md index 2b3605a..f923129 100644 --- a/ipsie-levels.md +++ b/ipsie-levels.md @@ -8,7 +8,7 @@ Each level includes the previous level (_e.g._ SL3 includes the requirements of | IPSIE
LEVEL| Application (aka RP) | Identity Service | |---------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| | SL1 | - MUST meet NIST 800-63-4 FAL2 compliance*
- Application-specific session lifetime MUST be set from the assertion | - MUST meet NIST 800-63-4 FAL2 Compliance*
- MUST enforce MFA and communicate an authentication class to the Application | -| SL2 | - MUST terminate sessions at the request of the Identity Service
- MUST not accept unsolicited federation assertions| - MUST enforce authentication method requests from Application | +| SL2 | - When requested from the Identity Service, MUST require the user log in at the Identity Service before continuing any action.
MUST revoke any active sessions and tokens at the request of the Identity Service
- MUST not accept unsolicited federation assertions| - MUST enforce authentication method requests from Application | | SL3 | - MUST communicate session state changes to Identity Service | - MUST communicate user, session, and device state changes to the Application | |||| | AL1 | - MUST support suspend, archive, or delete of users by the Identity Service | - MUST deprovision accounts from the Application| @@ -32,7 +32,9 @@ Level SL2 adds the ability for the Application to request specific authenticatio Applications MUST NOT accept unsolicited federation requests from the identity service (e.g. SAML IdP initiated federation). -The Identity Services MUST be able to communicate a session termination event. The Application MUST act upon session termination requests from the Identity Services. +When requested by the Identity Service, Applications MUST require the specified user log in again at the Identity Service before continuing any action within the Application. This is effectively a "force re-authenticate" command, or an "expire session" command. This command does not place any requirements on what the Application does with artifacts like session identifiers or tokens. Identity Services are not obligated to send this command, but Applications are required to support receiving it. + +When requested by the Identity Service, Applications MUST terminate all active sessions and any access tokens and refresh tokens they may have created for the specified user. Identity Services are not obligated to send this command, but Applications are required to support receiving it. ### IPSIE Session Lifecycle SL3 - Continuous Access @@ -71,7 +73,8 @@ The list below captures the security features described in the levels above. It * Identity Service allows Application to request specific minimum authentication methods * Application prohibits unsolicited federation assertions from the Identity Service -* Identity Service can terminate sessions at the Application +* Identity Service can terminate sessions and tokens at the Application +* Identity Service can require the user re-authenticate at the Identity Service before they can continue to interact with the Application ### SL3 From 47b5149cf1076715fb9a8a2078dc87beb113053a Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Thu, 5 Feb 2026 12:39:46 -0800 Subject: [PATCH 2/5] Update ipsie-levels.md Co-authored-by: Mark Drummond --- ipsie-levels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipsie-levels.md b/ipsie-levels.md index f923129..72e0176 100644 --- a/ipsie-levels.md +++ b/ipsie-levels.md @@ -8,7 +8,7 @@ Each level includes the previous level (_e.g._ SL3 includes the requirements of | IPSIE
LEVEL| Application (aka RP) | Identity Service | |---------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| | SL1 | - MUST meet NIST 800-63-4 FAL2 compliance*
- Application-specific session lifetime MUST be set from the assertion | - MUST meet NIST 800-63-4 FAL2 Compliance*
- MUST enforce MFA and communicate an authentication class to the Application | -| SL2 | - When requested from the Identity Service, MUST require the user log in at the Identity Service before continuing any action.
MUST revoke any active sessions and tokens at the request of the Identity Service
- MUST not accept unsolicited federation assertions| - MUST enforce authentication method requests from Application | +| SL2 | - When requested from the Identity Service, MUST require the user to re-authenticate at the Identity Service before continuing any action.
MUST revoke any active sessions and tokens at the request of the Identity Service
- MUST not accept unsolicited federation assertions| - MUST enforce authentication method requests from Application | | SL3 | - MUST communicate session state changes to Identity Service | - MUST communicate user, session, and device state changes to the Application | |||| | AL1 | - MUST support suspend, archive, or delete of users by the Identity Service | - MUST deprovision accounts from the Application| From 7e0faaf0e5ace54823ddd48e70bd2dca8d8b9392 Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Thu, 5 Feb 2026 12:39:54 -0800 Subject: [PATCH 3/5] Update ipsie-levels.md Co-authored-by: Mark Drummond --- ipsie-levels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipsie-levels.md b/ipsie-levels.md index 72e0176..619a310 100644 --- a/ipsie-levels.md +++ b/ipsie-levels.md @@ -32,7 +32,7 @@ Level SL2 adds the ability for the Application to request specific authenticatio Applications MUST NOT accept unsolicited federation requests from the identity service (e.g. SAML IdP initiated federation). -When requested by the Identity Service, Applications MUST require the specified user log in again at the Identity Service before continuing any action within the Application. This is effectively a "force re-authenticate" command, or an "expire session" command. This command does not place any requirements on what the Application does with artifacts like session identifiers or tokens. Identity Services are not obligated to send this command, but Applications are required to support receiving it. +When requested by the Identity Service, Applications MUST require the specified user re-authenticate at the Identity Service before continuing any action within the Application. This is effectively a "force re-authenticate" command, or an "expire session" command. This command does not place any requirements on what the Application does with artifacts like session identifiers or tokens. Identity Services are not obligated to send this command, but Applications are required to support receiving it. When requested by the Identity Service, Applications MUST terminate all active sessions and any access tokens and refresh tokens they may have created for the specified user. Identity Services are not obligated to send this command, but Applications are required to support receiving it. From 401e6096aabe9e9c73e246fa03f1a84481fe8bc0 Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Tue, 24 Feb 2026 09:13:29 -0800 Subject: [PATCH 4/5] Apply suggestion from @aaronpk --- ipsie-levels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipsie-levels.md b/ipsie-levels.md index 619a310..a2f97a4 100644 --- a/ipsie-levels.md +++ b/ipsie-levels.md @@ -32,7 +32,7 @@ Level SL2 adds the ability for the Application to request specific authenticatio Applications MUST NOT accept unsolicited federation requests from the identity service (e.g. SAML IdP initiated federation). -When requested by the Identity Service, Applications MUST require the specified user re-authenticate at the Identity Service before continuing any action within the Application. This is effectively a "force re-authenticate" command, or an "expire session" command. This command does not place any requirements on what the Application does with artifacts like session identifiers or tokens. Identity Services are not obligated to send this command, but Applications are required to support receiving it. +When requested by the Identity Service, Applications MUST obtain a new identity assertion from the Identity Service for the specified user before continuing any action within the Application. This is effectively a "force re-authenticate" command, or an "re-establish session" command. This command does not place any requirements on what the Application does with artifacts like session identifiers or tokens. Identity Services are not obligated to send this command, but Applications are required to support receiving it. When requested by the Identity Service, Applications MUST terminate all active sessions and any access tokens and refresh tokens they may have created for the specified user. Identity Services are not obligated to send this command, but Applications are required to support receiving it. From c66862cbd6582718b2bc48ddda870588d234a129 Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Tue, 24 Feb 2026 09:14:15 -0800 Subject: [PATCH 5/5] Apply suggestion from @aaronpk --- ipsie-levels.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipsie-levels.md b/ipsie-levels.md index a2f97a4..06f1a85 100644 --- a/ipsie-levels.md +++ b/ipsie-levels.md @@ -8,7 +8,7 @@ Each level includes the previous level (_e.g._ SL3 includes the requirements of | IPSIE
LEVEL| Application (aka RP) | Identity Service | |---------------|----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------| | SL1 | - MUST meet NIST 800-63-4 FAL2 compliance*
- Application-specific session lifetime MUST be set from the assertion | - MUST meet NIST 800-63-4 FAL2 Compliance*
- MUST enforce MFA and communicate an authentication class to the Application | -| SL2 | - When requested from the Identity Service, MUST require the user to re-authenticate at the Identity Service before continuing any action.
MUST revoke any active sessions and tokens at the request of the Identity Service
- MUST not accept unsolicited federation assertions| - MUST enforce authentication method requests from Application | +| SL2 | - When requested from the Identity Service, MUST obtain a new identity assertion for the user from the Identity Service before continuing any action.
MUST revoke any active sessions and tokens at the request of the Identity Service
- MUST not accept unsolicited federation assertions| - MUST enforce authentication method requests from Application | | SL3 | - MUST communicate session state changes to Identity Service | - MUST communicate user, session, and device state changes to the Application | |||| | AL1 | - MUST support suspend, archive, or delete of users by the Identity Service | - MUST deprovision accounts from the Application|