oidc fed in [email protected]
TRANSCRIPT
![Page 1: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/1.jpg)
OIDC Identity Federation in pictures by Roland Hedberg at
IIW XXIII
![Page 2: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/2.jpg)
According to Wikipedia
• A federation (information technology) is a group of computing or network providers agreeing upon standards of operation in a collective fashion.
• The term "identity federation" is by design a generic term, and is not bound to any one specific protocol, technology, implementation or company. One thing that is consistent, however, is the fact that "federation" describes methods of identity portability which are achieved in an open, often standards-based manner – meaning anyone adhering to the open specification or standard can achieve the full spectrum of use-cases and interoperability.
![Page 3: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/3.jpg)
OIDC IDENTITY FEDERATION
➤ Allow dynamic discovery and registration without losing trust.
➤ Enforcement of federation and organization policies
➤ Allow delegation of entity registration
➤ Metadata transport and origin independent
➤ Metadata Self-contained
![Page 4: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/4.jpg)
CHAIN OF TRUST
➤ Trusted 3rd party
➤ Chain of verifiable claims
➤ Metadata construction
![Page 5: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/5.jpg)
Client - Server setup
WebFinger
Discovery
Registration
OPRP
![Page 6: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/6.jpg)
The players The good, the bad and the ugly
System adminstrator Federation OperatorIT Architect
![Page 7: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/7.jpg)
Organization and FO
![Page 8: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/8.jpg)
Organization wide information
contactslogo_uripolicy_uritos_uri
![Page 9: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/9.jpg)
Transfer to FO
contactslogo_uripolicy_uritos_uri
![Page 10: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/10.jpg)
FO: verifies, modifies and signs
contactslogo_uripolicy_uritos_uri
scopeclaims
token_endpoint_auth_method
![Page 11: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/11.jpg)
Within an organization
![Page 12: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/12.jpg)
Entity specific information
redirect_urisgrant_typessubject_type
![Page 13: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/13.jpg)
Transfer to Organization coordinator (OC)
redirect_urisgrant_typessubject_type
![Page 14: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/14.jpg)
OC: verifies, modifies and signs
redirect_urisgrant_typessubject_type
![Page 15: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/15.jpg)
Unpacking a metadata statement
redirect_urisgrant_typessubject_type
contactslogo_uripolicy_uritos_uri
scopeclaims
token_endpoint_auth_method
![Page 16: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/16.jpg)
Gathering the metadata
redirect_urisgrant_typessubject_type
contactslogo_uripolicy_uritos_uri
scopeclaims
token_endpoint_auth_method
contactslogo_uripolicy_uritos_uri
scopeclaims
token_endpoint_auth_method
redirect_urisgrant_typessubject_type
![Page 17: Oidc fed in pictures@iiw.xxiii](https://reader031.vdocuments.site/reader031/viewer/2022022415/58ece8001a28ab045b8b459f/html5/thumbnails/17.jpg)
OIDC IDENTITY FEDERATION
➤ Allow dynamic discovery and registration without losing trust.
➤ Enforcement of federation and organization policies
➤ Allow delegation of entity registration
➤ Metadata transport and origin independent
➤ Metadata Self-contained