Federation Assurance Level
Federation Assurance Level.
NIST SP 800-63C's three-level scale (FAL1, FAL2, FAL3) describing the cryptographic strength of the assertion the IdP sends to the relying party in a federated authentication.
FAL2 and FAL3 are rare in production B2B SaaS — most enterprise SSO ships at FAL1 (signed bearer assertion) and that's accepted by every major procurement team. FAL2 (encrypted assertion via JWE or SAML XML Encryption) matters when the assertion contains sensitive claims passing through untrusted infrastructure. FAL3 (holder-of-key, sender-constrained) matters in high-assurance federated workloads — government, regulated finance — and is increasingly relevant for AI agent identity propagation.
Common questions
What's the difference between FAL1, FAL2, and FAL3?
Do I need FAL3 for typical B2B SSO?
Is OIDC at FAL1 or FAL2?
Related terms
In the guides
Enterprise SSO: SAML vs OIDC, and How to Pick
SAML and OIDC are the two protocols that dominate enterprise SSO. A practical comparison, when each is the right answer, and the IdP-side considerations that determine the choice.
OpenID Connect (OIDC) Explained: The Modern Identity Layer on OAuth 2.0
OIDC adds authentication and identity claims to OAuth 2.0. How discovery, ID tokens, and the standard scopes work, plus the pitfalls that bite implementers in production.
SAML 2.0 Explained: The Enterprise SSO Standard, 20 Years In
SAML 2.0 still dominates enterprise SSO install base in 2026. How the protocol actually works, the bindings, profiles, the metadata exchange, and the security pitfalls that keep biting implementers.