Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock ( Https ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


Frequently Asked Questions

We encourage you to create an account directly on or an agency partner like USAJobs to see in action. Generally a site will place a login button on their site. When the user clicks this button they redirect to where they can sign in or create an account. The site will be branded with the agency logo and can include help text for migrating existing users. After authenticating with they are redirected back to the agency with a unique UUID or email address that identifies the user.

We offer email address and UUID. Since a user can change their email address we recommend tracking users by UUID.

Yes. This is why we recommend using UUID as the primary key.

Every user has a unique UUID per agency for privacy reasons. This means that the same user can return a different UUID depending on which agency they are signing in to. These UUIDs are also globally unique. We do offer sharing of UUIDs between agencies with user consent on a case by case basis.

Once a user is authenticated on and passed back to the agency it is up to the agency to manage the user’s session. We do not remotely invalidate or expire a user’s session. makes no guarantees on IP addresses or ranges. Please use the DNS when querying for the latest IPs.

Check the error that was returned. Generally we return the specific errors in the HTML, JSON, or in the redirect url.

Feel free to contact the engineers at They can help diagnose your problem further.


No. only works via redirects to and from an agency site.

No. only handles authentication. Granting users specific access and permissions is handled on the agency side. For example, some agencies use active directory to store what applications a user can access.

For our basic authentication accounts (IAL1), we rely on the user having access to an email address, password, and a secure multi-factor authentication method (AAL2 or higher) such as a phone, authentication app or PIV/CAC where they can receive a secure code to use to sign in to their account.

For identity proofing, in addition to meeting the above requirements for IAL1/AAL2, we ask users to upload a photograph of their state-issued ID and share their address, phone number and other personal information which is then verified against authoritative sources. identity proofing services do not meet NIST IAL2 standards at this time. We continue to work toward achieving certification of compliance with the IAL2 standard from a third-party assessment organization. has a public status page available at where you can subscribe to incident notifications via email, SMS, Slack, or RSS.

Troubleshooting Errors

Background: recognizes incoming requests from Service Providers by validating the Issuer (for SAML) or ClientID (for OIDC) field sent in the request and checking it against Service Providers registered with The Issuer for each Service Provider is defined in the Issuer field on the Dashboard.

This error occurs when receives a request from a Service Provider that contains an Issuer/ClientID field that is not registered with The Issuer/ClientID defined in the request must match EXACTLY the Issuer defined in the Dashboard.


Double check the SAML/OIDC request to and confirm that the Issuer/ClientID field matches exactly what is defined in the Dashboard. See Other Tips & Tools for help with decoding SAML Requests.

Note that certain Service Providers will not allow partners to set or change the Issuer value after the application is configured (e.g. MS Power Apps Portal). In this case, the best option would be to create the Dashboard configuration after the Service Provider application has defined the Issuer and use that Issuer in the Dashboard.

SAML Request Example:

​​<samlp:AuthnRequest AssertionConsumerServiceURL=';loa=1'
  <!-- ... -->

OIDC Request Example:


For both SAML and OIDC, the Authentication Context Class Reference field can be used to define the Identity Assurance Level (IAL) and Authentication Assurance Level (AAL) on a per-request basis. It can also be used to define which user attributes should be returned from upon successful authentication.

This error occurs when receives a request containing an unrecognized or unauthorized Authentication Context Class Reference value.


Refer to the Developer’s Guide for a list of accepted Authentication Context Class Reference values and ensure one or more of these values (and no others) are being sent in all authentication requests:

OIDC User Attributes - see "scope"

Important Note for SAML Service Providers: requires AAL2 at minimum by default and so cannot accept AAL1 values for the Authentication Context Class Reference value unless the incoming requests allows to increase the AAL to 2. For SAML requests, this means defining the optional Comparison field in the RequestedAuthContext SAML field as “minimum” or “better”. See below for a sample SAML request with an AAL of 1 and the optional Comparison field.

<samlp:AuthnRequest ...>
  <!-- ... -->
  <samlp:RequestedAuthnContext Comparison='minimum'>

Service Providers that cannot accommodate either sending a specific Authentication Context Class Reference or sending the optional Comparison field cannot currently be integrated with (e.g. MS Power Apps Portal).

See Section of the SAML spec for more information.


For SAML Identity Providers, NameID is the unique identifier used to identify users across multiple sessions. The NameID Format field specifies the format of the NameID field and is defined and/or restricted by the Identity Provider.

This error occurs when receives a SAML request with a NameIDPolicy who’se Format field does not match the NameIDFormat specified by

<samlp:NameIDPolicy AllowCreate='true'


Refer to the Developers Guide for the acceptable values for the NameIdFormat SAML field. Update the Identity Provider configuration within your Service Provider to specify the correct NameIDFormat field.

For SAML Service Providers, see Other Tips & Tools for help with decoding SAML Requests.

Browser Console Errors


Content Security Policy (CSP) is a modern web browser defense for Cross-Site Scripting (XSS) attacks. For more information about CSP and XSS attacks, refer to the MDN documentation on CSP.

The CSP form-action directive restricts which URLs can be used as the target of form submissions from a given context. Certain Chromium-based internet browsers (e.g. Google Chrome and Microsoft Edge) enforce the form-action directive through the entire redirect chain (if any). Other non-Chromium-based browsers only check the first redirect in the chain (e.g. Firefox). For Chromium-based browsers, upon form submission, any attempts to redirect to a url not explicitly listed as a form-action source will violate the CSP directive and cause a failure to load and a console error.

This error occurs when Service Providers attempt to redirect users to a url that is not registered in the Redirect URLs field in the Dashboard configuration. All urls that users could be redirected to, even as a passthrough, need to be included in the list of Redirect URLs.


Use the Network tab of your web browser to identify which redirect (302) is hanging or failing. Add that uri to the list of Redirect URIs in your Dashboard configuration.

Other Application Issues


Any web application that authenticates its users must manage user sessions in order to avoid requiring their users to constantly re-authenticate. Often, this is done using a browser session token that gets passed back and forth between application resources. Session tokens can be valid for variable amounts of time and when they expire, users are required to re-authenticate. does not provide a session token for Service Providers as is an authentication service, not an authorization service. The authentication token returned from is not a session token and should not be used as one.


When Service Providers receive a successful authentication response from, they should create their own session tokens within their application in order to track their users’ sessions.

Other Tips & Tools

SAML requests from browser consoles are URI encoded, base-64-encoded, and deflate-compressed. Here are steps to obtain a human-readable version of your SAML request.

  1. Copy and paste the SAML request into a URI decoder (e.g. SAML Tool). Note that you will need to remove any flags that are included in the url (flags are denoted by an &).
  2. Take the returned value from the URI decoder and use a base-64-decode and inflate tool (eg. SAML Tool).