...
- Define the Endpoint: The endpoint is defined under the following path: /.well-known/openid-federation
- Implementation: Ensure this endpoint serves the entity’s entity Configuration.
Shortened Shortened example of an entity Configuration:
...
- Add to Configuration: Add authority_hints in your entity’s metadata configuration
Registering the Entity as a Subordinate Entity
...
| Code Block | ||
|---|---|---|
| ||
{
"<entity-identifier>": {
"entity_types": [
"federation_entity",
"<additional-entity-types>"
],
"jwks": {
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "example-kid",
"n": "example-n-value",
"e": "AQAB"
}
]
}
}
}
|
Instructions
Replace
<entity-identifier>with the entity_id of your entity (typically its HTTPS URL).Every entity must include
federation_entityas one of its types.Add the entity types that apply to your role in the Sandbox:
openid_relying_partyfor RPs.openid_providerfor OPs.oauth_authorization_serverfor entities acting as OAuth 2.0 AS.
Place your public keys in the
"jwks"section. Only public key parameters are included. Private key material must never be published.
...
This registration document can then should be submitted to the Sandbox operator to complete onboarding of the entity.
...
Testing the Trust Relationships
Validate trust marks
Use tools like jwt.io to decode and verify trust marks using the Trust Anchor's public keys.Retrieve metadata
Ensure the the .well-known/openid-federation endpoint correctly serves the entity’s entity configuration:Code Block language bash curl -X GET https://your-entity.example.com/.well-known/openid-federationCheck authority hints
Verify thatauthority_hintspoints to the correct SuperiorValidate public keys
Confirm that the Trust Anchor’s public keys match those provided in your local configuration.
...