OIDF fed Virt WS - OpenID

Preview:

Click to see full reader

Citation preview

Roland Hedberg, 28 October 2020

OIDC federations

�1

What we’re not trying to solveOne RP to one OP One RP to many OPs Many RPs to one OP

What we do want to solveMany RPs to many OPs (multilateral federation)

What the OIDC federation specification adds

• Entity statements

• Trusted 3rd party (trust anchor)

• Trust chains

• Explicit/automatic client registration

• Metadata policies

Entity statementIs a JSON Web Token

• iss

• sub

• iat

• exp

• aud

• authority_hints

• jwks

• metadata

• metadata_policy

• constraints

• crit

• policy_crit

• A federation can be shallow (leaf entity immediately below trust anchor) or deep (one or more intermediates between the leaf entity and the trust anchor).

Federation structure

1.Start with a self-signed entity statement about an entity.

2.Use the authority_hints in the entity statement to find superiors.

3.Ask the superiors for their information, about the issuer of the entity statement, in the format of an entity statement.

4.If the superior is the trust anchor. -BREAK

5.GOTO 2

Trust Chain Collection

Trust Chain Verification

Explicit client registration

• Like OIDC core dynamic client registration but with entity statements instead of metadata.

• Both request (metadata) and response (metadata_policy) uses entity statements.

Automatic client registration

• First message sent from the RP to the OP is an authentication request (not counting the provider information discovery).

• The authentication request contains a request object by value, by reference or by using PAR.

• The client_id in the authentication request is the RP’s entity_id.

• Using the entity_id the OP can fetch and verify the RP’s metadata as described earlier.

• Once it has the RP’s metadata it can verify the signature of the request object.

Interoperability testing 1&2Setup

FO

ORG1 ORG2

RPe RPa OPidpy

OPshib

OPc2id

Interoperability testing - OPsRP used = oidcrp

IdPy C2ID SHIBBOLETH

Entity statements

Trust chain collection

Trust chain validation

Explicit client registration

Automatic client registation

Metadata policies

Recommended

OpenID TechNight #6 - OpenID on Smart.fm
Technology
OpenID - Caracteristicas
Technology
Cmg Virt Concepts
Documents
ABCD A’B’C’D’ SVC Raid 5 (TB)Raid 1 (TB) Host Raid 5 (TB)Raid 1 (TB) ABasic Virt. Disk100 A'Basic Virt. Disk100 BBasic Virt. Disk 100B'Basic Virt. Disk
Documents
OpenID Connect Conformance Profiles v3 · 1 OpenID Connect Conformance Profiles v3.0 OpenID Connect Working Group, OpenID Foundation June 28, 2018 1. Introduction This document defines
Documents
OpenID Presentation
Business
Oidf j tech-night6_nttid_20100528
Business
Understanding OpenID
Technology
Virt Cookbook RH5
Documents
Adusal virt paivat_helsinki_08122011
Entertainment & Humor
OpenID 2009
Technology
OpenID Connect - dior.ics.muni.czmakub/oidc/OpenID_Connect_Martin_Kuba.pdf · OpenID Connect a OAuth2 OpenID Connect (dále OIDC) je rozšíření autorizačního protokolu OAuth
Documents
Parth virt
Technology
OpenID Introduction
Technology
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Documents
Implementing OpenID
Technology
07 Virt Memhier
Documents
Introduction to OpenID Foundation...May 21, 2020  · Introduction to OpenID Foundation 2020-05-21 OpenID Foundation Virutal Workshop. OpenID Foundation A Non-profit International
Documents
Rootconf Virt
Technology
OpenId Flow
Technology