The cloud service provider MUST support standards-based integration of external identity providers for authentication and access management for the cloud service.

The integration of an external Identity Provider MUST be implemented via open, non-proprietary standards.

The provider MUST support a stateless authentication model that does not mandate the creation and copies of accounts within the provider’s directory.

Authorization MUST be controllable via dynamic claims and attributes issued directly by the customer's external identity provider.