...
The federation has a hierarchical structure with the Trust Anchor (TA) as the root of trust. Subordinate entities include Resolvers, Intermediates, Trust Mark Issuers, OPsOpenID Providers, and RPsRelying Parties.
Entities and Their Roles
...
Resolver: Provides trust chain resolution services, enabling entities to validate metadata against the TATrust Anchor.
Intermediate: Manages subordinate entities and aggregates metadata.
Trust Mark Issuer: Issues signed Trust Marks certifying compliance with federation requirements.
OpenID Provider (OP): Authenticates users and issues tokens under federation policies.
Relying Party (RP): Consumes identity information from OPs OpenID Providers through validated trust chains.
...
Validation is done by building a trust chain from the entity to the Trust Anchor. The chain is verified using the TA’s Trust Anchor's keys. Trust Marks add assurance of policy compliance.
...
A Trust Mark Issuer evaluates an entity against defined requirements. If compliant, it issues a signed JWT Trust Mark containing including the required claims iss (issuer), sub (subject), id (trust mark identifier), iat (issued at), and exp (expiration).
Examples of Trust Workflows
RP to OP Interaction
- The RP Relying Party fetches the OP’s OpenID Provider’s Entity Configuration.
- The RP Relying Party resolves and validates the trust chain using the Resolver to the TATrust Anchor.
- If trust is valid, the RP Relying Party registers with the OPOpenID Provider.
- Authentication and token flows proceed under validated trust.