Once you’ve tested your integration in our sandbox environment, you can request deployment to the Login.gov production environment.
Our integration documentation includes endpoint urls for our sandbox environment https://idp.int.identitysandbox.gov/. Our production environment is located at https://secure.login.gov/. The URL path to each endpoint remains the same. Only the domain will change. For example, the authorization endpoint will change as follows:
- OpenID Connect: https://secure.login.gov/openid_connect/authorize
- SAML: https://secure.login.gov/api/saml/auth2021
Please be aware that the IDP certificate (X509 Certificate) in the production environment is different from the IDP certificate in the sandbox environment. The production IDP certificates can be found here:
- OpenID Connect: https://secure.login.gov/api/openid_connect/certs
- SAML: https://secure.login.gov/api/saml/metadata2021
All changes to integrations between login.gov and your application must be reviewed and deployed. We ask for at least 1 week notice for new integrations and changes to existing integrations. Push Notification URLs may require 2 weeks notice in order to allow the domain for outbound communication. Regular deployments occur every Thursday by the close of the business day. If the regular deployment occurs on a holiday, then it will be completed the following Monday.
You must have a signed IAA (Inter Agency Agreement) with login.gov with your integration explicitly listed in it in order to deploy to production. You will need to provide the IAA number this application will be billed under. The IAA number format will include
LGABCFY210001-0001-0000), where GTC stands for General Terms & Conditions. You may also hear these referred to as forms 7600A and 7600B.
Please reach out to your agency IAA contact if you have any questions. If your agency does not already have an IAA, then ask your agency contact to reach out to email@example.com to begin the IAA process, which can take up to 6 weeks to complete.
Many partners choose to create a separate staging app in our sandbox environment for testing their staging environment, because changes take effect immediately without waiting for review and deployment.
If you are testing an IAL2 integration, then we also offer an ATO-ed staging environment for limited testing. You must have a signed IAA in order to deploy to Staging. Our staging environment is approved for PII, which can be useful in certain test cases. However, any configuration changes in the staging environment must be reviewed and deployed.
If you wish to deploy an application to our staging environment, then create a “staging” configuration app like the “production” configuration app described in the next section.
Before you can deploy your application to the production environment, you will need to create a separate app on our dashboard that contains your production certificate, urls and logo. Here are the steps to complete your production configuration app:
- Create a new app on the dashboard https://dashboard.int.identitysandbox.gov/
- Enter a Friendly Name with “Production” in the title
- Enter the production urls and configuration into the app
Please note: The following items are required to promote your app to production:
- All production urls should have .gov .mil or a dedicated .com address and point to an ATO-ed environment.
- You must include a logo for your application. You can find the logo guidelines here.
- If this is a SAML integration (Not OpenID Connect), then please ensure that:
- Assertion Consumer Logout Service URL is defined.
- SAML Assertion Encryption is enabled.
- If you are using a service which does not support SAML encryption, then please send a message to firstname.lastname@example.org for further guidance.
Once you have:
Please submit the login.gov production integration request form.
Changes to production applications
Please update your production configuration app in the dashboard and test the changes you wish to deploy. After you have confirmed the change, then please submit the login.gov integration change request form.