OpenID Connect Federation 1.0 -
draft 10
independentroland@catalogix.seMicrosoftmbj@microsoft.comhttp://self-issued.info/Uninett ASandreas.solberg@uninett.nohttps://www.linkedin.com/in/andreassolberg/Schibsted Media Groupsamuel.gulliksson@gmail.comYubicove7jtb@ve7jtb.comhttp://www.thread-safe.com/OpenID Connect Working GroupOpenIDConnectFederation
The OpenID Connect standard specifies how a Relying Party (RP)
can discover metadata about an OpenID Provider (OP), and then
register to obtain RP credentials. The discovery and
registration process does not involve any mechanisms of
dynamically establishing trust in the exchanged information, but
instead rely on out-of-band trust establishment.
In an identity federation context, this is not sufficient. The
participants of the federation must be able to trust information
provided about other participants in the federation. OpenID
Connect Federations specifies how trust can be dynamically
obtained by resolving trust from a common trusted third party.
While this specification is primarily targeting OpenID Connect,
it is designed to allow for re-use by other
protocols and in other use cases.
This specification describes how two entities that would like to
interact can dynamically fetch and resolve trust and metadata for a
given protocol through the use of third-party trust anchor. A trust
anchor is an entity whose main purpose is to issue statements
about entities, such as OpenID Connect Relying Parties, OpenID
Providers, and participating organizations.
An identity federation can be realized using this specification using
one or more levels of trust issuers. This specification does not mandate
a specific way or restrict how a federation may be built. Instead, the
specification provides the basic technical trust infrastructure building
blocks needed to build a dynamic and distributed trust network such as a
federation.
Note that a company, as with any real-world organization, may be
represented by more than one entity in a federation.
OpenID Connect Federation trust chains rely on
cryptographically signed
JSON Web Token (JWT) documents,
and the trust chain does not at
all rely on TLS
in order to establish trust.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in
RFC 2119.
This specification uses the terms
"Claim Name", "Claim Value", "JSON Web Token (JWT)",
defined by
JSON Web Token (JWT)
and the terms "OpenID Provider (OP)" and "Relying Party (RP)" defined
by OpenID Connect Core 1.0.
This specification also defines the following terms:
Something that has a separate and distinct existence and that can
be identified in a context. All entities in an OpenID Connect
federation MUST have a globally unique identifier.
An entity statement is
issued by an entity, which pertains to a subject entity and leaf
entities. An entity statement is always a signed JWT.
An entity that issues
an entity statement that appears somewhere in between those
issued by the trust anchor and the leaf entity in a trust chain.
An entity defined by a certain protocol,
e.g., OpenID Connect Relying Party or Provider.
An entity that represents a trusted third party.
A sequence of entity statements that represents a chain
starting at a leaf entity and ending in a trust anchor.
An entity statement is
issued by an entity and concerns a subject entity and leaf entities
in a federation. An entity statement is always a signed JWT.
All entities in a federation SHOULD be prepared to publish an entity
statement about themselves. If they are not able to do so themselves
someone else MUST do it for them.
An entity statement is composed of the following claims:
REQUIRED. The entity identifier of the issuer of
the statement. If the iss and
the sub are identical, the
issuer is making a statement about itself.
REQUIRED. The entity identifier of the subject
REQUIRED. The time the statement was issued.
Its value is a JSON number representing the number of seconds from
1970-01-01T0:0:0Z as measured in UTC until the date/time.
See RFC 3339 for
details regarding date/times in general and UTC in particular.
REQUIRED.
Expiration time on or after which the statement MUST NOT be
accepted for processing. Its value is a JSON number representing
the number of seconds from 1970-01-01T0:0:0Z as measured in UTC
until the date/time.
REQUIRED. A
JSON Web Key Set (JWKS)
representing the public part of the subject
entity's signing keys. The corresponding private key is
used by leaf entities to sign entity statements about themselves,
and intermediate entities to sign statements about other entities.
The keys that can be found here are primarily intended to sign
entity statements and should not be used in other protocols.
OPTIONAL.
The entity statement may be specifically created for an entity.
The entity identifier for that entity MUST appear in this claim.
OPTIONAL. Array of strings representing
the entity identifiers of intermediate entities or trust anchors
that may issue an entity statement about the issuer entity.
For all entities except for trust anchors that do not have any
superiors this is REQUIRED and MUST NOT be the empty list [].
This claim MUST be absent in an
entity statement issued by a trust anchor with no superiors.
OPTIONAL. JSON object including protocol
specific metadata claims that represent the entity's metadata.
Each key of the JSON object represents a metadata type
identifier, and each value MUST be a JSON object representing
the metadata according to the metadata schema of that metadata
type. An entity statement may contain multiple
metadata statements, but only one for each metadata type.
If the iss of an entity statement
points to the same entity as the sub
then the entity statement MUST contain a
metadata claim.
OPTIONAL. JSON object that describes
a metadata policy.
Each key of the JSON object represents a metadata type
identifier, and each value MUST be a JSON object representing
the metadata policy according to the metadata schema of that
metadata type. An entity statement may contain multiple
metadata policy statements, but only one for each metadata type.
Only non-leaf entities MAY contain a
metadata_policy
claim. Leaf entities MUST NOT contain a metadata_policy claim.
OPTIONAL. JSON object that describes a set of trust chain
constraints. More about this in
OPTIONAL.
The crit (critical) entity statement
claim
indicates that extensions to entity statement claims defined by
this specification
are being used that MUST be understood and processed.
It is used in the same way that
crit
is used for extension JWS header
parameters that MUST be understood and processed.
Its value is an array listing the entity statement claims
present in the entity statement that use those extensions.
If any of the listed extension entity statement claims are not
understood and supported by the recipient, then the entity
statement is invalid.
Producers MUST NOT include entity statement claim names defined by
this specification or
names that do not occur as entity statement claim names in the
entity statement
in the crit list.
Producers MUST NOT use the empty list
[]
as the crit value.
OPTIONAL.
The policy_language_crit (critical)
entity statement claim
indicates that extensions to the policy language defined by this
specification
are being used that MUST be understood and processed.
It is used in the same way that
crit
is used for extension
JSON Web Signature (JWS)
header parameters that MUST be
understood and processed.
Its value is an array listing the policy language extensions
present in the policy language statements that use those
extensions.
If any of the listed extension policy language extensions are not
understood and supported by the recipient, then the entity
statement is invalid.
Producers MUST NOT include policy language names defined by this
specification or
names that do not occur in policy language statements in the
entity statement
in the policy_language_crit list.
Producers MUST NOT use the empty list
[]
as the policy_language_crit value.
The entity statement is signed using the private key of the issuer
entity, in the form of a JSON Web Signature
(JWS).
The following is a non-normative example of an entity statement
before
serialization and adding a signature. The example contains
a critical extension jti (JWT ID) to the
entity statement and one critical extension to the policy language
regexp
(Regular expression).
In an OpenID Connect Identity Federation, entities that together build
a trust chain can be categorized as:
An entity that represents a trusted
third party
In an OpenID Connect Identity Federation, an RP or an OP
Neither a leaf nor a trust anchor
A trust chain begins with a leaf entity's self-signed entity
statement, has zero or more entity statements
issued by intermediates about subordinates, and ends with an
entity statement issued by the trust anchor about the top-most
intermediate (if there are intermediates) or the leaf entity
(if there are no intermediates).
A simple example: If we have an RP that belongs to organization A
that is a member of federation F, the trust chain for such a setup
will contain the following entity statements:
A self-signed entity statement about the RP published by the RP
An entity statement about the RP published by Organization A
An entity statement about Organization A published by Federation
F
A trust chain MUST always be possible to order such that:
If we name the entity statements ES[0] (the leaf entity's
self-signed entity statement) to ES[i] (an entity statement issued
by the trust anchor), i>0 then:
The iss entity in one entity statement
is always the
sub
entity in the next.
ES[j]['iss'] == ES[j+1]['sub'], j=0,...,i-1
There MUST always be a signing key carried in the
jwks
claim in
ES[j] that can be used to verify the signature of ES[j-1],
j=i,...,1 .
It MUST be possible to verify the signature of ES[0] with
one of the keys in ES[0]['jwks'].
The signing key that MUST be used to verify ES[i] is distributed
from the trust anchors to the any entity that needs to verify a
trust chain in some secure out-of-band way not described in this
document.
This specification does allow new metadata
types to be defined, to support use cases outside OpenID Connect
federations.
The metadata type identifier will uniquely identify which metadata
specification to utilize.
The metadata document MUST be a JSON document. Beyond that there is
no restriction.
Metadata used in federations typically re-uses existing metadata
standards.
If needed, the metadata schema is extended
with additional properties relevant in a federated context.
For instance, for OpenID Connect Federations, this specification uses
metadata values from
OpenID Connect Discovery 1.0 and
OpenID Connect Dynamic Client Registration 1.0
and adds additional
values used for federations.
The metadata type identifier is
openid_relying_party.
All parameters defined in Section 2 of
OpenID Connect Dynamic Client Registration 1.0
are allowed in a metadata statement.
To that list is added:
REQUIRED. Array of strings specifying the federation types
supported. Values defined by this specification are
automatic
and
explicit.
OPTIONAL. A human readable
name representing the organization owning the RP.
The metadata type identifier is
openid_provider.
All parameters defined in Section 3 of
OpenID Connect Discovery 1.0
are applicable.
In addition, the following parameters are defined by this
specification:
REQUIRED. Array specifying the federation types supported.
Federation type values defined by this specification are
automatic
and explicit.
OPTIONAL. A human readable
name representing the organization owning the OP. It is
intended to be used in the user interface, being recognized by
the end users that would be using the OP to authenticate.
OPTIONAL.
URL of the OP's Federation specific Dynamic Client Registration
Endpoint. If the OP supports explicit client
registration as described in ,
then this claim is REQUIRED.
The metadata type identifier is
oauth_authorization_server.
All parameters defined in Section 2 of
RFC 8414
are applicable.
The metadata type identifier is
oauth_client.
All parameters defined in Section 2 of
RFC 7591
are applicable.
The metadata type identifier is
oauth_resource.
There is no standard that specifies what parameters that can occur
in the metadata for this kind of entity. So for the time being, this
can be regarded as a place holder.
The metadata type identifier is
federation_entity.
All entities participating in a federation are of this type.
The following properties are allowed:
OPTIONAL.
The endpoint used for the Federation API described in
. Intermediate entities and
trust anchors MUST publish a federation_api_endpoint.
Leaf entities MUST NOT.
OPTIONAL.
An OP MUST use this claim to tell the RP which trust anchor it
chose to use when responding to an explicit client registration.
The value of trust_anchor_id is the entity identifier of a trust
anchor.
OPTIONAL. String. The human readable name
describing the subject entity. This may be, for example, the
name of an organization.
OPTIONAL. JSON array with one or more
strings. Contact persons at the entity.
These may contain names, e-mail addresses, descriptions, phone
numbers, etc.
OPTIONAL. URL to documentation of
conditions and policies relevant to this entity.
OPTIONAL. URL to a generic home page
representing this entity.
Example
The metadata for a specific entity can be constructed by
combining the metadata polices defined by the trust anchor and possible
intermediates starting with the trust anchor and the applying this
combined policy to the metadata information in a leaf entity's entity
statement.
Policies are expressed using a JSON object.
The following keywords represent different
actions/checks that MUST be applied to the metadata.
The resulting value of the claim will be the intersection of the
values specified here and the values of the claim. For
instance, the claim policy:
if applied to a metadata statement with:
will update the claim in the metadata statement to be:
The value of the claim MUST be one of the ones listed here.
As an example, if the claim policy:
is applied to the metadata statement
the resulting claim statement will be:
If an entity tries to register a value that is not in the
one_of
set of values,
applying the policy MUST lead to a failure.
The values of the claim MUST contain the ones listed here.
We define superset the mathematical way, that is equality is
included.
As an example, if the claim policy:
is applied to the metadata statementthe resulting claim statement will be:
If an entity tries to register a set of values that are not
a superset of the ones specified by
superset_of,
applying the policy MUST lead to a failure.
Adds the value or values specified to the list of values for the
metadata statement claim.
If the specified value is already present in the list,
this operation has no effect.
If the claim has no value then the claim is initialized with the
specified value.
As an example, if the claim policy:
is applied to the following claim in the metadata statement:
the end result will be the claim:
Disregarding what value the claim had,
if any, the claims value will be set to what is specified here.
As an example, if the claim policy:
is applied to a metadata statement with the claim
then the metadata statement will afterwards contain:
If no value is assigned to this claim, then the claim's value
will be set to what is specified here.
As an example, if the claim policy:
is applied to a metadata statement with the claim
then the metadata statement will afterwards contain:
If on the other hand, the metadata statement did not contain a
require_auth_time
claim then the
following claim statement would be added to the metadata
statement:
If 'true' then claim MUST have a value.
essential
can be
combined with all the other types.
The upshot of applying this policy to a metadata statement
is that the metadata statement MUST contain such a claim
otherwise the metadata statement is incorrect.
An entity may use more then one policy type when expressing a policy
for a claim. These are the policy types that can be combined in a
metadata_policy statement:
Can be combined with all the others. If
essential
is not present that is the same as stating essential=true.
Can be combined with one_of,
subset_of
and superset_of.
If a default policy is combined
with one_of,
subset_of
or
superset_of
and it is not a
subset of the subset_of policy or the
one_of
policy or a superset of the
superset_of
policy then an error MUST be raised.
Can be combined with subset_of.
If subset_of and
superset_of
both appears in a
metadata_policy statement
subset_of
MUST be a superset of superset_of.
Can be combined with superset_of.
If superset_of and
subset_of
both appears in a metadata_policy statement for a claim
subset_of
MUST be a superset of superset_of.
Can be combined with one_of,
subset_of
and superset_of.
Here the order matters. If value
appear in a superiors policy statement then the others MUST be
ignored. If value are defined by the
subordinate then it MUST be a subset of
subset_of, superset of
superset_of and one of
one_of.
If there is more than one metadata policy in a trust chain, then
the policies MUST be combined before they are applied to the
metadata statement.
Using the notation we have defined in
policies
are combined starting with ES[i] and then adding the policies from
ES[j] j=i-1,..,1 before applying the combined policy to the entity's
metadata.
After having combined the policies, the policy for each claim MUST
adhere to the rules defined in .
These are the policy types that can be combined when combining two
policies:
The result of combining two subset_of policies
is the intersection of the values.
The result of combining two one_of policies
is the intersection of the values.
The result of combining two
superset_of
policies is the intersection of the values.
The result of combining two add policies
is the union of the values.
The result of combining two value policies
is NOT allowed unless the two values are equal.
The result of combining two default policies
is NOT allowed unless the two values are equal.
The result of combining two essential policies
is True if any of the values are True otherwise it is False.
Note that a missing essential specification
is to be treated as an essential=true statement.
It should be noted that applying subset_of,
superset_of or
one_of to an empty value will result in
an empty value.
A federations policy for RPs:
An organization's policy for RPs:
The combined metadata policy then becomes:
If applying policies to a metadata statement results in incorrect
metadata, then such a metadata statement MUST
be regarded as broken and MUST NOT be used.
There might be parties that want to extend the policy language
defined here. If that happens then the rule is that if
software compliant with this specification
encounters a keyword it doesn't understand it MUST ignore it
unless it is listed in a
policy_language_crit list,
as is done for JWS header parameters
with the crit parameter.
If the policy language extension keyword
is listed in the policy_language_crit list
and not understood, then the metadata MUST be rejected.
The following is a non-normative example of a set of policies being
applied to an RP's metadata.
The RP's metadata:
The federation's policy for RPs:
The organization's policy for RPs:
The metadata for the entity in question after applying the policies
above, would then become:
The configuration endpoint is found using the
Well-Known URIs
specification, with the suffix
openid-federation. The scheme, host and port
is taken directly from the entity identifier combined with the following
path: /.well-known/openid-federation.
If the entity identifier contains a path, it is concatenated after
/.well-known/openid-federation
in the same
manner
that path components are concatenated to the well-known identifier in
the OAuth 2.0 Authorization Server Metadata
specification.
Of course, in real multi-tenant deployments, in which the entity identifier
might be of the form
https://multi-tenant-service.example.com/my-tenant-identifier
the tenant is very likely to not have control over the path
https://multi-tenant-service.example.com/.well-known/openid-federation/my-tenant-identifier
whereas it is very likely to have control over the path
https://multi-tenant-service.example.com/my-tenant-identifier/.well-known/openid-federation.
Therefore, if using the configuration endpoint at the URL with the tenant path
after the well-known part fails,
it is RECOMMENDED that callers retry at the URL with the tenant path
before the well-known part
(even though this violates ).
Federation Entities MUST make an Entity Configuration Document available
at the configuration endpoint.
A federation Entity Configuration Document MUST be queried using an
HTTP GET request at the previously specified path.
The requesting party would make the following request to the Entity
https://example.com
to obtain its
Configuration information:
The response is a self-signed Entity Statement, as described in
entity statement.
If the entity is an intermediate entity or a trust anchor the
response MUST contain metadata for a federation entity.
A positive response is a signed entity statement, where the content
type MUST be set to application/jose.
In case of an error, the response
will be a JSON object, the content type MUST be set to
application/json and
the error response uses the applicable HTTP status code value.
The following is a non-normative example response from an
intermediate entity, before serialization and adding a signature:
All entities that are expected to publish entity statements about other
entities MUST expose a Federation API endpoint.
The federation API endpoint of an entity can be found the in the
configuration response as described in
or by other means.
The Federation API is an HTTPS API that may support multiple
operations. Fetching entity statements is one of the operations, and the
only one that all Federation API endpoints are REQUIRED to support.
All the other operations are OPTIONAL. The list of defined
operations may be extended in a future.
While all operations on the federation API endpoint make use of a
GET request, other operations may choose to use other HTTP methods. If
the operation
parameter is left out, it is treated as a
fetch entity statements request. Unless otherwise mentioned or agreed
upon, requests to the federation API do not need to be
authenticated.
Fetching entity statement is used to collect entity statements
one by one in order to gather trust chains.
In order to fetch an entity statement, an entity needs to know the
identifier of the entity to ask (the issuer), the federation API
endpoint of that entity and the identifier of the entity that you
want the statement to be about (the subject).
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation API endpoint with the
following query string parameters:
OPTIONAL. If not present, MUST be treated as
fetch.
REQUIRED. The entity identifier of the issuer
from which you want an entity statement issued. Because of the
normalization of the URL, multiple issuers may resolve to a
shared federation API. This parameter makes it explicit exactly
which issuer we want entity statements from.
OPTIONAL. The entity identifier of the subject
for which you would like an entity statement issued. If this
parameter is left out, it is considered to be the same as the
issuer and would indicate a request for a self-issued
statement.
OPTIONAL. The entity identifier of the
requester. If the aud parameter is present in the request,
the aud claim SHOULD be present in
the entity statement response and take exactly that value.
The following is a non-normative example of an API
request for an entity statement:
A positive response is a signed entity statement where
the content type MUST be set to
application/jose.
If it is negative response it will be a JSON object and the
content type MUST be set to
application/json.
See more about error responses in .
The following is a non-normative example of a response, before
serialization and adding a signature:
An entity may use the trust negotiation operation in order to fetch
resolved metadata about itself as seen/trusted by a remote peer.
The result may, for instance, tell an RP what operations, scopes and
claims an OP would allow the RP to use if a specific trust anchor
was used.
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation API endpoint with the
following query string parameters:
REQUIRED. MUST be set to
resolve_metadata.
REQUIRED. The entity identifier of the
entity whose metadata are requested. Because of the
normalization of the URL, multiple entity identifiers may
resolve to a shared federation API. This parameter makes it
explicit exactly which entity is expected.
REQUIRED. The entity identifier of the entity
the information is requested for. This must be a leaf entity.
REQUIRED. The metadata type to resolve.
In this document, we use the metadata types listed in
.
REQUIRED. The trust anchor the remote peer
MUST use when resolving the metadata. The value is an entity
identifier.
The following is a non-normative example of an API
request for trust negotiation:
The response is a metadata statement that is the result of
applying the metadata policies in the trust chain on the entity's
metadata.
The following is a non-normative example of a response:
An entity may query another entity for a list of all the
entities immediately subordinate to that entity and about which
that entity is prepared to issue statements about.
(In some cases, this may be a very large list.)
The request MUST be an HTTP request using the GET method and
the https scheme to a resolved federation API endpoint with the
following query string parameters:
REQUIRED. MUST be set to
listing.
REQUIRED. The entity identifier of the entity
from which an entity listing is requested. Because of the
normalization of the URL, multiple entity identifiers may
resolve to a shared federation API. This parameter makes it
explicit exactly which entity is expected.
OPTIONAL. If left out, result should
include both leaf entities and intermediate nodes. If set to
true,
the response should contain only leaf entities. If set to
false, the
response should contain only intermediate nodes.
The following is a non-normative example of an API
request for trust negotiation:
The response MUST contain an JSON list with the known entity
identifiers.
The following is a non-normative example of a response:
If the request was malformed, or some error occurred during
processing of the request, the following standardized error format
should be used regardless of the operation specified.
The HTTP response code MUST be something in 400/500-range, giving an
indication of the type of error. The response body MUST be a JSON
object containing the claims below and the content type MUST
be set to application/json.
REQUIRED. The operation of the request.
REQUIRED. The error code.
REQUIRED. A human readable short
text describing the error.
The following is a non-normative example of an error response:
An entity (e.g., the Consumer) that wants to establish trust with a
remote peer, must have the remote peer's entity identifier and a list of
entity identifiers of trust anchors together with the public version
of their signing keys. The Consumer will first have to fetch
sufficient entity statements to establish at least one chain of trust
from the remote peer to one or more of the configured trust anchors.
After that the entity MUST validate the trust chains independently,
and -- if there are multiple valid trust chains and if the
application demands it -- choose one.
Depending on the circumstances, the Consumer may either be
handed the remote peer's self-issued entity statement, or it may
have to fetch it by itself. If it needs to fetch it, it will use the
process described in
with both iss and
sub
set to the entity identifier
of the remote peer.
The next step is to iterate through the list of
intermediates listed in
authority_hints, ignoring the authority
hints that end in an unknown trust anchor, requesting an entity
statement about the remote peer from each of the intermediates.
If the received entity statement contains an authority hint this
process is repeated. This time with the
iss
set to the
intermediates entity identifier and the sub to be
the iss of the previous query.
The Consumer SHOULD NOT attempt to fetch
entity statements it already has fetched during this
process (loop prevention).
A successful operation will return one or more lists of
entity statements. Each of the lists terminating in a self-signed
entity statement issued by a trust anchor.
If there is no path from the remote peer to at least one of the
trusted trust anchors, then the list will be empty and there is no
way of establishing trust in the remote peer's information. How the
Consumer deals with this is out of scope for this specification.
As described in ,
a trust chain consists of an ordered list of entity
statements. So whichever way the Consumer has acquired the set of
entity statements, it must now verify that it is a proper trust chain
using the rules laid out in that section.
To validate the chain, the following must be done:
For each entity statement ES[j] j=i,..,0:
Verify that the statement contains all the required claims.
Verify that iat has a value in the
past
Verify that exp has a value that
is in the future.
For j=0 verify that iss ==
sub.
For j=0,...,i-1: Verify that ES[j]['iss'] == ES[j+1]['sub']
For j=0,...,i-1: Verify the signature of ES[j] using the public
key carried in ES[j+1]['jwks'].
For j == 0 verify the signature of ES[0] using the public
key carried in ES[0]['jwks'].
For j == i: verify that a) the issuer matches the configured
identifier of a trust anchor and b) its signature is valid with
the likewise configured public key of said trust anchor.
Verifying the signature is a much more expensive
operation then verifying the correctness of the statement and the
timestamps. An implementer MAY therefor chose to not verify the
signature until all the other checks have been done.
Consumers MAY cache Entity Statements or signature verification
results for a given time until they expire
.
A constraint specification can contain the following claims:
OPTIONAL. Integer. The maximum number of entities statements
between this entity statement and the last entity statement in
the trust chain.
OPTIONAL. JSON object. Restriction on the entity identifiers of the
entities below this entity. The behavior of this claim mimics
what is defined in Section 4.2.1.10 in .
Restrictions are defined in terms of permitted or excluded name
subtrees.
The following is a non-normative example of such a specification:
If a subordinate entity statement contains a constraint specification
that is more restrictive then the one in effect, then the more
restrictive constraint is in effect from here on.
If a subordinate entity statement contains a constraint specification
that is less restrictive then the one in effect, then it MUST be
ignored.
The max_path_length constraint specifies the maximum number of
entity statement a trust chain can have between the entity statement
that contains the constraint specification and the leaf's entity
statement.
A max_path_length constraint of zero indicates that no
entity statement may appear between this entity statement and the
leaf entity statement. Where it appears, the max_path_length constraint
MUST have a value that is greater than or equal to zero.
Where max_path_length does not appear, no limit is imposed.
Assuming that we have a trust chain with four entity statements:
Leaf entity (LE)Intermediate 1 (I1)Intermediate 2 (I2)Trust Anchor (TA)
Then the trust chain fulfills the constraints if:
The TA specifies a max_path_length that is equal to or bigger
then 2.
TA specifies max_path_length of 2, I2 specifies max_path_length of 1,
and I1 specifies no max_path_length constraint.
Neither TA nor I2 specifies any max_path_length constraint
while I1 specifies max_path_length of 0.
The trust chain does not fulfill the constraints if:
TA has specified max_path_length of 1.
The name constraints indicates a name space within which all subject
entity identifiers in subordinate entity statements in a trust chain
MUST be located.
Restrictions are defined in terms of permitted or excluded name
subtrees. Any name matching a restriction in the excluded
claim is invalid regardless of information appearing in the
permitted claim.
The constraint MUST be specified as a fully qualified domain name
and MAY specify a host or a domain. Examples would be
"host.example.com" and ".example.com". When the constraint begins
with a period, it MAY be expanded with one or more labels.
That is, the constraint ".example.com" is satisfied by both
host.example.com and my.host.example.com. However, the constraint
".example.com" is not satisfied by "example.com". When the
constraint does not begin with a period, it specifies a host.
If multiple valid trust chains are found, the Consumer will
need to decide on which one to use.
One simple rule would be to prefer a shorter chain over a longer one.
Consumers MAY follow other rules according to local policy.
Each entity statement in a trust chain is signed and MUST have an
expiration time (exp) set. The expiration time of the whole trust
chain is set to the minimum value of exp within the chain.
This specification allows for a smooth process of updating metadata
and public keys.
As described above in ,
each trust chain has an expiration time.
A consumer of metadata using this specification MUST support
refreshing a trust chain when it expires.
How often a consumer should re-evaluate the trust chain depends on
how quickly the consumer wants to find out that something has changed
in the trust chain.
If a leaf entity publishes its public keys in the metadata part
using jwks, setting an expiration time on
the self-signed entity
statement can be used to control how often the receiving entity is
fetching an updated version of the public key.
A trust anchor must publish a self-signed entity statement about
itself. The trust anchor SHOULD set a reasonable expiration
time on that statement, such that the consumers will re-fetch the
entity statement at reasonable intervals. If the trust anchor wants to
roll over its signing keys it would have to:
Add the new keys to the jwks representing
the trust
anchors signing keys.
Keep signing the entity statement using
the old keys for a long enough time period to allow all
subordinates to have gotten access to the new keys.
Switch to signing with the new keys.
After a reasonable time period remove the old keys. What is
regarded as a reasonable time is dependent on the security profile
and risk assessment of the trust anchor.
It must be taken into consideration that clients may have
manually configured pubic keys as part of their configuration.
Since the consumers are expected to check the trust chain at regular,
reasonably frequent times, this specification does not specify a
standard revocation process. Specific federations may make a
different choice and will then have to add such a process.
This section describes how the trust framework in this specification
is used to establish trust between an RP and an OP
that have no explicit configuration or registration in advance.
There are two alternative approaches to establish trust between an
RP and an OP, which we call automatic and explicit
registration. Members of a federation or a community
should agree upon which one to use. While implementations should
support both methods, deployments may choose to disable the use of one
of them.
Independent of whether the RP uses automatic or explicit registration,
the way that the RP learns about the OP is the same.
It will use the procedure that is
described in .
The client_id of the RP
MUST be set identically to the RP entity identifier.
Without a registration process, the RP does not have a
client_secret. Instead the automatic registration model requires the
RP
to make use of asymmetric cryptography.
The RP MUST host a Federation API that allows the OP to fetch the
entity statements.
The authentication request is as specified in OpenID Connect
Core.
The RP MUST authenticate at the authentication endpoint
using the private_key_jwt method described in the client
authentication section of
OpenID Connect Core 1.0.
An authentication request example:
When the OP receives an incoming authentication request,
the OP supports OpenID Connect Federation, the incoming client_id
is a valid URL and the OP does not have the client_id
registered as a known
client then the OP should try to resolve and fetch trust
chains starting with the RP's entity
statement as described in .
The OP should validate the possible trust chains, as described in
,
and resolve the RP metadata with type
openid_relying_party.
The OP should consider the resolved metadata of the RP, and
verify that it complies with the client metadata specification in
OpenID Connect Dynamic Client
Registration 1.0.
Once the OP has the RP's metadata, it can verify the client
authentication.
If the OP fails to establish trust with the RP, it should use an
appropriate error code, and an
error_description
that aids the RP to understand what is wrong.
In addition to the error codes defined in Section 3.1.2.6 of OpenID
Connect
core, this specification also defines the following error codes:
No trusted trust anchor could be found.
Trust chain validation failed.
The following is a non-normative example error response:
This method involves performing an explicit registration of a new
client the first time an RP interacts with an OP
using something that basically follows the steps in
OpenID Connect Dynamic Client Registration 1.0
but where the client registration request
is a signed entity statement.
The RP will start by gathering the OP's metadata using the
process specified in
above.
The OP MUST support OpenID Dynamic Client Registration as extended
by this specification.
This is signaled by having the claim
federation_registration_endpoint
in the OP's metadata.
Given that the OP supports explicit registration, the RP
progresses as follows:
Once it has the list of acceptable trust chains for the OP
it MUST choose the subset it wants to progress with. The
subset can be as small as one trust chain, but it can also
contain more than one.
Based on the trust anchors referenced in the subset of
trust chains, the RP will choose a set of
authority_hints
from
its own set that terminates in those trust anchors.
The RP will now construct a self-signed entity statement
where the metadata statement chosen is influenced by the OPs
metadata and the authority_hints included
are picked by the
process described above.
The entity statement is sent, using POST, to the
federation_registration_endpoint
defined in this document. The content type MUST be set to
application/jose.
After the OP receives the request, it collects and
evaluates the trust chains starting with the
authority_hints
in the registration request.
After it has verified at least one trust chain it
MUST verify that the signature on the received registration
request is correct.
If it finds more than one acceptable trust chain, it MUST
choose one trust anchor from those chains as the one it will
proceed with.
At this point, if there already exists a client
registration under the same entity identifier then that registration
MUST be regarded as invalid.
Note
that key material from
the
previous registration MUST be kept to make key rollover
possible.
The OP will now construct a metadata policy that, if
applied to the RP's metadata statement, will result in
metadata that the OP finds acceptable.
Note
that the client_id the OP chooses does not have to be
the same as the entity identifier of the RP.
To the entity statement it will add one or more
authority_hints, from its
collection, that terminate in the
trust anchor chosen above.
It will sign and return the registration response (a signed
entity statement) to the RP.
The RP verifies the correctness of the received entity
statement, making sure that the trust chains starting at the
authority_hints
terminates in trust anchors that were
referenced in the entity statement it sent to the OP.
The RP MUST NOT apply metadata policies from the trust
chains that the OP provides because those are not valid for
the RP's metadata.
The RP MUST apply policies to the metadata using one of its
own trust chains that ends in the trust anchor that the OP
chose.
Once it has applied those policies it can the apply
the policy returned from the OP.
When it has applied all the metadata policies to its
metadata statement, it then stores
the result and can continue communicating with the OP
using the agreed-upon metadata.
At this point the RP also knows which trust chain it should
use when evaluating the OP's metadata. It can therefore
apply the metadata policies on the OP's metadata using the
relevant trust chain and store the result as the OPs
metadata.
If the RP does not accept the received entity statement for some reason,
then it has the choice to restart the
registration process or to give up.
A client registration using this specification is not expected to
be valid forever. The entity statements exchanged all have
expiration times, which means that the registration will eventually
time out. An OP can also for administrative reasons decide that a
client registration is not valid anymore. An example of this could
be that the OP leaves the federation in use.
At regular intervals, the RP MUST:
Starting with the OP's entity statement, resolve and verify
the trust chains it chooses to use when constructing the
registration request. If those trust chains do not exist
anymore or do not verify, then the registration should be
regarded as invalid and a new registration process should be
started.
If the OP's entity statement was properly formed the RP must
now verify that the entity statement it received about itself
from the OP is still valid.
Again, if that is not the case the registration
should be regarded as invalid and a new registration process
should be started.
What is regarded as reasonable intervals will depend on
federation policies and risk assessment by the maintainer of
the RP.
At regular intervals, the OP MUST:
If the signature on the registration request has expired it
MUST mark the registration as invalid and demand that the
RP MUST re-register. Else
starting with the RP's client registration request, the OP
MUST
verify that there still is a valid trust chain terminating in
the trust anchor the OP chose during the registration process.
An OP MUST NOT assign an expiration time
to an RP's registration that is later than the trust
chain's expiration time.
TBD Register federation_types_supported for OP metadata with initial
values automatic, explicit.
TBD Register federation_type for RP registration metadata.
TBD Register federation_registration_endpoint for the OP metadata.
TBD
OpenID Connect Discovery 1.0Nomura Research Institute,
Ltd.
Ping IdentityMicrosoftGoogleSalesforceOpenID Connect Discovery 1.0Nomura Research Institute,
Ltd.
Ping IdentityMicrosoftIllumilaOpenID Connect Dynamic Client Registration 1.0Nomura Research Institute,
Ltd.
Ping IdentityMicrosoft
Let us assume the following: The project LIGO would like to offer access
to its wiki to all OPs in EduGAIN. LIGO is registered to the InCommon
federation.
The players
Both SWAMID and InCommon are identity federation in their own right.
They also have that in common that they both are members of
the EduGAIN federation.
SWAMID and InCommon are different in how they register entities.
SWAMID registers organizations and lets the organizations register
entities that belong to the organization, while InCommon registers all
entities directly and not beneath any organization entity.
Hence the differences in depth in the federations.
Let us assume a researcher from Umeå University would like to
login at
the LIGO Wiki. At the Wiki, the researcher will use some kind of
discovery service to find the home identity provider (op.umu.se)
Once the RP-part of the Wiki knows which OP it should talk to it has
to find out a couple of things about the OP. All if those things
can be found in the metadata. But finding the metadata is not enough;
the RP also has to trust the metadata.
Let us start with discovering Provider information.
Metadata discovery is a sequence of steps that starts with the RP
fetching the self-signed entity statement of the leaf (in this case
https://op.umu.se) using the process defined in
.
What follows thereafter is this sequence of steps:
Pick out the immediate superior entities using the authority
hints
Fetch the configuration for each such entity. This uses the
process defined in
Using the federation API endpoint of the superiors do
a fetch request
on the endpoint asking for information about the subordinate
entity.
How many times this has to be repeated depends on the depth of the
federation. What follows below is the result of each step the RP
has to do to find the OP's metadata using the federation set up
described above.
When building the trust chain, the entity statements issued
by a superior about its subordinate is used together with the
self-signed entity statement issued by the leaf.
The self-signed entity statement concerning intermediates are not
part of the trust chain.
The LIGO WIKI RP fetches the self-signed entity statement from the
OP (op.umu.se)
using the process defined in .
The result is this entity statement.
The authority_hints points to the
intermediate https://umu.se. So that is the next step.
This entity statement is the first link in the trust chain.
The LIGO RP fetches the self-signed entity statement from
"https://umu.se"
using the process defined in .
The only piece of information that is used from this entity
statement is
the federation_api_endpoint,
which is used in the next step.
The RP uses the federation API and the "fetch" command as defined in
to fetch information about
"https://op.umu.se" from the API endpoint published in
https://umu.se's configuration.
This is the second link in the trust chain.
Notable here is that this path leads to two trust anchors using the
same
next step ("https://swamid.se").
The LIGO Wiki RP fetches the self-signed entity statement from
"https://swamid.se"
using the process defined in .
The only piece of information that is used from this entity
statement is
the federation_api_endpoint,
which is used in the next step.
The LIGO Wiki RP uses the federation API and the "fetch" command as
defined in
to fetch information about
"https://umu.se" from the API endpoint published in
https://swamid.se's configuration.
This is the third link in the trust chain.
If we assume that the issuer of this entity statement is not in the
list of trust anchors the LIGO Wiki RP has access to we have to go
one step further.
RP fetches the self-signed entity statement from
"https://edugain.geant.org"
using the process defined in .
Again, the only thing we need is the
federation_api_endpoint.
As described in
,
note should also be
taken to jwks as the trust anchor may be
performing a key rollover.
The LIGO Wiki RP uses the federation API and the "fetch" command as
defined in
to fetch information about
"https://swamid.se" from the API endpoint published in
https://edugain.geant.org's configuration.
If we assume that the issuer of this statement appears in the list
of trust anchors the LIGO Wiki RP has access to this would be
the fourth and final entity statement in the trust chain.
We now have the whole chain from the self-signed entity statement of
the
leaf up until the last one which is issued by a trust anchor. All in
all,
we have:
Self-signed entity statement by the leaf (https://op.umu.se)
Statement issued by https://umu.se about https://op.umu.seStatement issued by https://swamid.se about https://umu.seStatement issued by https://edugain.geant.org about
https://swamid.se
Using the public keys of the trust anchor that the LIGO Wiki RP has
been
provided with in some secure out-of-band way, it can now verify the
trust chain as described in
.
Having verified the chain, the LIGO Wiki RP can proceed with the
next step.
Merging the metadata policies from the tree entity statements we
have, by
a superior about its subordinate, and applying the combined policy
to the
metadata statement that the leaf entity presented, we get:
We have now reached the end of the Provider Discovery process.
As described in
,
there are two
ways which can be used to do client registration:
No negotiation between the RP and the OP is made regarding
what features the client should use in future communication are
done. The RP's published metadata filtered by the chosen trust
chain's
metadata policies defines the metadata that is to be used.
The RP will access the
federation_registration_endpoint,
which provides the metadata for the RP to use. The OP MAY return a
metadata policy that adds restrictions over and above what the
trust chain already has defined.
The LIGO Wiki RP does not do any registration but goes directly to
sending an authentication request.
Here is an example of an authentication request:
The OP receiving this authentication request will, unless the
RP is cached or statically configured, start to dynamically fetch
and
establish trust with the RP.
The OP needs to establish a trust chain for the RP (wiki.ligo.org).
The OP in this example are configured with public key of 2
federations:
https://edugain.geant.orghttps://swamid.se
The OP starts to resolve metadata for the client identifier
https://wiki.ligo.org by fetching the self-issued entity statement
using
the process described in .
The process is the same as described in
and will result in a trust chain with the following entity
statements:
Self-signed entity statement by the leaf
https://wiki.ligo.org
Statement issued by https://incommon.org about
https://wiki.ligo.org
Statement issued by https://edugain.geant.org about
https://incommon.org
Using the public keys of the trust anchor that the LIGO Wiki RP has
been
provided with in some secure out-of-band way, it can now verify the
trust chain as described in
.
We will not list the complete entity statements but only the
metadata
and metadata_policy parts.
There are two metadata policies:
If you combine these and apply them to the metadata for
wiki.ligo.org :
You will get
Having that, the "registration" is done, and the OP must now use
the keys found at the URL specified in
jwks_uri
to verify the client
assertion in the authentication request.
Here the LIGO Wiki RP sends a client registration request to the
federation_registration_endpoint of the OP (op.umu.se).
What it sends is a self-signed entity statement.
Once the OP has the entity statement, it proceeds with the same
sequence of steps as laid out in .
The OP will end up with the same RP metadata as was described in
, but what it now can do is
return a metadata policy that it wants to be applied to the RP's
metadata. This metadata policy will be combined with the
trust chain's combined metadata policy before being applied to the
RP's metadata.
If we assume that the OP has a bit more strict view on which type
of crypto keys to use, it may want to add a metadata policy that says:
In which case the metadata used by the RP should be described like
this:
Copyright (c) 2019 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works from,
distribute, perform and display, this Implementers Draft or Final
Specification solely for the purposes of (i) developing specifications,
and (ii) implementing Implementers Drafts and Final Specifications based
on such documents, provided that attribution be made to the OIDF as the
source of the material, but that such attribution does not indicate an
endorsement by the OIDF.
The technology described in this specification was made available
from contributions from various sources, including members of the OpenID
Foundation and others. Although the OpenID Foundation has taken steps to
help ensure that the technology is available for distribution, it takes
no position regarding the validity or scope of any intellectual property
or other rights that might be claimed to pertain to the implementation
or use of the technology described in this specification or the extent
to which any license under such rights might or might not be available;
neither does it represent that it has made any independent effort to
identify any such rights. The OpenID Foundation and the contributors to
this specification make no (and hereby expressly disclaim any)
warranties (express, implied, or otherwise), including implied
warranties of merchantability, non-infringement, fitness for a
particular purpose, or title, related to this specification, and the
entire risk as to implementing this specification is assumed by the
implementer. The OpenID Intellectual Property Rights policy requires
contributors to offer a patent promise not to assert certain patent
claims against other contributors and against implementers. The OpenID
Foundation invites any interested party to bring to its attention any
copyrights, patents, patent applications, or other proprietary rights
that may cover technology that may be required to practice this
specification.
The authors wish to acknowledge the contributions of the following
individuals and organizations to this specification:
Heather Flanagan,
Misha Salle,
Peter Schober,
Michael Schwartz,
and
the JRA3T3 task force of GEANT4-2.
The following open issues remain to be addressed in this specification.
The representation for RPs that are native applications needs to be
defined.
How are federation operator keys retrieved?
A mechanism is needed for key rotation of federation operator keys
for long-term security and maintainability of federations.
A mechanism may be needed for bounding key lifetimes.
Discuss that key IDs may be chosen as the JWK Thumbprint [RFC 7638]
of the key.
Discuss localization of human-readable strings.
SAML2 as used in Research and Education federations uses
post-/prefix
matching on metadata in some cases. We might need something
similar or just use regular expressions.
Define the relationship between trust anchors and Federation
Operators,
as people will expect to find the Federation Operator term in the
specification.
Add a diagram showing the relationships between FOs, orgs, sub-orgs,
and leaf entities.
[[ To be removed from the final specification ]]
-10
Incorporated additional review feedback from Marcos Sanz.
The primary change was moving constraints to their own section of the entity statement.
-09
Incorporated review feedback from Marcos Sanz.
Major changes were as follows.
Separated entity configuration discovery from operations provided
by the federation API.
Defined new authentication error codes.
Also incorporated review feedback from Michael B. Jones.
-08
Incorporated review feedback from Michael B. Jones.
Major changes were as follows.
Deleted sub_is_leaf entity statement
since it was redundant.
Added federation_type RP registration
metadata value
and federation_types_supported OP
metadata value.
Deleted openid_discovery metadata type
identifier
since its purpose is already served by
openid_provider.
Entity identifier paths are now included when using the Federation
API,
enabling use in multi-tenant deployments sharing a common domain
name.
Renamed sub_is_leaf to
is_leaf
in the Entity Listings Request operation parameters.
Added crit and
policy_language_crit,
enabling control over which entity statement and policy language
extensions
MUST be understood and processed.
Renamed openid_client to
openid_relying_party.
Renamed oauth_service to
oauth_authorization_server.
Renamed implicit registration to
automatic
registration
to avoid naming confusion with the implicit grant type.
Renamed op to
operation
to avoid naming confusion with the use of "OP" as an acronym for
"OpenID Provider".
Renamed url to
uri
in several identifiers.
Restored Open Issues appendix.
Corrected document formatting issues.
-07
Split metadata into metadata and metadata_policy
Updated example
-06
Some rewrites
Added example of explicit client registration
-05
A major rewrite.
-04
Changed client metadata names
scopes
to rp_scopes and
claims
to rp_claims.
Added Open Issues appendix.
Added additional references.
Editorial improvements.
Added standard Notices section, which is present in all OpenID
specifications.