Roland Hedberg with Catalogix and the OpenID Foudation provided an update on OpenID Connect Federation at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.

1. OIDC Federation
Roland Hedberg, catalogix.se

2. Goal
Extend OIDC to be able to support multi lateral federations

3. Trusted information
• Correctness
• Tamper resistance
• Policy conformant
• Based on a trusted 3rd party
(trust anchor)
• Expressed in a trust chain

4. Information model
• Everyone, or someone representing an entity, publish self-
signed entity statements with metadata statement
• Intermediates and trust anchors publish metadata policies
about subordinates.

5. Entity Statement
{
"iss": "https://feide.no",
"sub": "https://ntnu.no",
"iat": 1516239022,
"exp": 1516298022,
"metadata_policy": {
"openid_provider": {
"organization_name": {"value": "NTNU"},
"id_token_signing_alg_values_supported":
{"subset_of": ["RS256", "RS384", "RS512"]},
}
},
"jwks": {
"keys": [
{
"e": “AQAB", "kid": “key1", "kty": "RSA",
"n": “pnXBOusEANuug6ewezb9J_...", "use": "sig"
}
]
},
"authority_hints": ["https://edugain.org/federation"]
}

6. Federation entity metadata
"metadata": {
"federation_entity": {
"federation_api_endpoint":
"https://example.com/federation_api_endpoint",
"name": "The example cooperation",
"max_path_length": 2,
"naming_constraints": {
"permitted": ["https://.example.com"],
"excluded": ["https://east.example.com"]
}
}
}

7. A simple example
If we have an RP that belongs to
organization A that is a member of
federation F, the trust chain for such
a setup will contain the following
entity statements
1. A self-signed entity statement about the
RP published by the RP
2. An entity statement about the RP
published by Organization A
3. An entity statement about Organization
A published by Federation F
RP OP
1
2
3

8. FEIDE
NTNU
ENTITY
FEIDE
NTNU
ENTITY
ENTITY
Verifying integrity

9. What if ?
Service
UmU
SWAMID
eduGAIN

10. Multi tenant service support
in .well-known
entity_id
• https://multi-tenant-service.example.com/my-tenant-identifier
well-known URL
• https://multi-tenant-service.example.com/.well-known/openid-
federation/my-tenant-identifier (RFC8414 like)
• https://multi-tenant-service.example.com/my-tenant-
identifier/.well-known/openid-federation (violates RFC8615)

11. Trust anchor key rotation
Key rotation of the trust anchor is supported by the use of
the jwks claim in self-signed entity statements.

12. Policy language
• subset_of
• one_of
• superset_of
• add
• value
• default
• essential

13. Applying Metadata policies
Federation Operator
Intermediate 1
Intermediate 2
Client
metadata
Metadata
policies

14. Client registration methods
• Automatic
• The client perfoms no registration, instead it sends an authorization request
with client_id == entity_id and client authentication method private_key_jwt.
• The OP needs to fetch the RP’s self-signed entity statement.
• Explicit
• The client does a client registration. The OP responds with a entity
statement about the RP with a metadata policy.
• The RP provides the OP with the self-signed entity statement in the body of
the client registration request

15. Status
• Implementations
• Python
• Java being worked on
• Hackathon at TechEX19 in december
• https://github.com/rohe/oidcfederation (bleeding edge)
Please review !

16. Questions!?