Security and PrivacyFedRAMP

Federated Identity Providers and FedRAMP

Most FedRAMP deployments are handled directly with Descope Customer Success, who will cover identity provider requirements as part of onboarding.

For the certification overview, see FedRAMP High Authorization.

Descope's FedRAMP High authorization applies to the Descope platform boundary. If your users authenticate through an external identity provider (IdP), that provider sits outside the Descope boundary and needs its own FedRAMP High authorization for the end-to-end flow to remain in a High boundary.

"Usable in FedRAMP High" means the identity provider you federate to holds its own FedRAMP High authorization. This almost always requires the vendor's government offering, not the commercial or consumer tier.

When you configure SSO or an identity federation connection, make sure to point it at the government SSO tenant.

Providers with a FedRAMP High Government Offering

For each provider below, the listed government offering is what carries a FedRAMP High authorization. The commercial or consumer tier of the same product generally does not.

Identity providerGovernment offering required for HighFedRAMP Marketplace
OktaOkta for Government High (commercial Workforce Identity Cloud is Moderate)FR2131856836
Microsoft Entra IDAzure Government (commercial Azure also holds a High P-ATO)Search Microsoft Azure Government
PingOnePing Government Identity Cloud (also DoD IL5)FR2208555094
Salesforce IdentitySalesforce Government Cloud PlusSearch Salesforce Government Cloud Plus
Google WorkspaceGoogle Workspace (government-configured editions)Search Google Workspace
CyberArkCyberArk Identity GovCloud / ISPSSFR2001619337
Descope (the platform itself)Descope on Palantir Federal Cloud ServiceFR2315464863

Always confirm current authorization status on the FedRAMP Marketplace before relying on a provider for a High deployment.

Consumer and Social Login

Consumer and social login is consumer-grade and falls outside a FedRAMP High boundary.

This includes Apple, Discord, Facebook, Google OAuth (distinct from Google Workspace / GCP), LinkedIn, Microsoft consumer accounts (distinct from Entra ID / Azure Government), Slack social login (distinct from GovSlack), and GitHub.

"Sign in with Google," "Sign in with Microsoft," and "Sign in with Slack" refer to the consumer identity tiers.

They are not the government tenants (Google Workspace government editions, Azure Government, GovSlack) and are not in scope for a FedRAMP High boundary.

Self-hosted Identity Providers

Self-hosted IdPs carry no cloud service provider authorization of their own. Their FedRAMP status is inherited from whatever environment the hosting agency has authorized:

Identity providerFedRAMP status
AD FS (Microsoft)On-premises Windows Server role with no CSP authorization; inherits the customer's own boundary
PingFederateSelf-hosted software with no standalone authorization; reaches High only via Ping Government Identity Cloud
KeycloakOpen-source self-hosted; FedRAMP status depends on the customer's authorized deployment
ShibbolethOpen-source self-hosted; FedRAMP status depends on the customer's authorized deployment
Generic OIDC/SAML SSOStatus depends on whichever endpoint the customer connects
Was this helpful?

On this page