OpenID Connect Federation


OpenID Connect Federation specifies how a Relying Party (RP) can discover metadata about an OpenID Connect Provider (OP), and then register to obtain client credentials.

The discovery and registration process does not involve any mechanisms of dynamically establishing trust in the exchanged information, but instead rely on-out-of band trust establishment.

In an identity federation context, this is not sufficient. The participants of the federation must be able to trust information provided about other participants in the federation. OpenID Connect Federation specifies how trust can be dynamically obtained from resolving trust from a common trusted Third-party.

While this specification is primarily targeting OpenID Connect, it is designed in order to allow for re-use by other protocols and in other Use cases.

OpenID Connect Federation describes how an identity federation can be built around a trusted third party, the federation operator.

Entity Statement#

OpenID Connect Federation defines an Entity Statement as always a signed JWT. An entity statement is issued by the iss, and the statement considers the subject entity, the sub. To be able to resolve trust and metadata, one need to know the identifier of the target entity – we refer to this as the leaf entity. The leaf entity will always sign a statement about itself, and give some hints to other entities that may want to issue statements about itself. All other entities in a trust chain we refer to as intermediate entities. The local configured trust root, we refer to as the trust anchor.

Some other OpenID Connect Federation specifications:

More Information#

There might be more information for this subject on one of the following: