Federated Identity Providers and FedRAMP
Most FedRAMP deployments are handled directly with Descope Customer Success, who will cover identity provider requirements as part of onboarding.
For the certification overview, see FedRAMP High Authorization.
Descope's FedRAMP High authorization applies to the Descope platform boundary. If your users authenticate through an external identity provider (IdP), that provider sits outside the Descope boundary and needs its own FedRAMP High authorization for the end-to-end flow to remain in a High boundary.
"Usable in FedRAMP High" means the identity provider you federate to holds its own FedRAMP High authorization. This almost always requires the vendor's government offering, not the commercial or consumer tier.
When you configure SSO or an identity federation connection, make sure to point it at the government SSO tenant.
Providers with a FedRAMP High Government Offering
For each provider below, the listed government offering is what carries a FedRAMP High authorization. The commercial or consumer tier of the same product generally does not.
| Identity provider | Government offering required for High | FedRAMP Marketplace |
|---|---|---|
| Okta | Okta for Government High (commercial Workforce Identity Cloud is Moderate) | FR2131856836 |
| Microsoft Entra ID | Azure Government (commercial Azure also holds a High P-ATO) | Search Microsoft Azure Government |
| PingOne | Ping Government Identity Cloud (also DoD IL5) | FR2208555094 |
| Salesforce Identity | Salesforce Government Cloud Plus | Search Salesforce Government Cloud Plus |
| Google Workspace | Google Workspace (government-configured editions) | Search Google Workspace |
| CyberArk | CyberArk Identity GovCloud / ISPSS | FR2001619337 |
| Descope (the platform itself) | Descope on Palantir Federal Cloud Service | FR2315464863 |
Always confirm current authorization status on the FedRAMP Marketplace before relying on a provider for a High deployment.
Consumer and Social Login
Consumer and social login is consumer-grade and falls outside a FedRAMP High boundary.
This includes Apple, Discord, Facebook, Google OAuth (distinct from Google Workspace / GCP), LinkedIn, Microsoft consumer accounts (distinct from Entra ID / Azure Government), Slack social login (distinct from GovSlack), and GitHub.
"Sign in with Google," "Sign in with Microsoft," and "Sign in with Slack" refer to the consumer identity tiers.
They are not the government tenants (Google Workspace government editions, Azure Government, GovSlack) and are not in scope for a FedRAMP High boundary.
Self-hosted Identity Providers
Self-hosted IdPs carry no cloud service provider authorization of their own. Their FedRAMP status is inherited from whatever environment the hosting agency has authorized:
| Identity provider | FedRAMP status |
|---|---|
| AD FS (Microsoft) | On-premises Windows Server role with no CSP authorization; inherits the customer's own boundary |
| PingFederate | Self-hosted software with no standalone authorization; reaches High only via Ping Government Identity Cloud |
| Keycloak | Open-source self-hosted; FedRAMP status depends on the customer's authorized deployment |
| Shibboleth | Open-source self-hosted; FedRAMP status depends on the customer's authorized deployment |
| Generic OIDC/SAML SSO | Status depends on whichever endpoint the customer connects |