...
How to Add Trust Marks to the vc_up_and_running Issuer
To update the *rust Trust Marks, you need to modify the trust_marks section of the satosa/plugins/oidc_frontend.yaml file. Follow the steps below to replace the existing Trust Marks with the ones received from the federation operator.
Locate the Trust Marks Section
In the current configuration, the `trusttrust_marks` marks are defined under:
Code Block language yml trust_marks: - <existing-trust-mark-1> - <existing-trust-mark-2>
You need to replace these values with the new Trust Marks provided by the federation operator.
Example Update
If the federation operator provided the following new Trust Marks:
Code Block language yml eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NWQ2MjY3LTI5MzQtNGJhNy05YjEyLWU4ZmFkNTYwYjZjMyJ9... eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwNTFjZTgzLTY1NzEtNDliYi04ODdjLTc3OWQzMDNmOTRmYyJ9...
Modify the `trusttrust_marks` marks section as follows:
Code Block language yml trust_marks: - eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NWQ2MjY3LTI5MzQtNGJhNy05YjEyLWU4ZmFkNTYwYjZjMyJ9... - eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwNTFjZTgzLTY1NzEtNDliYi04ODdjLTc3OWQzMDNmOTRmYyJ9..
Restart the Issuer to Apply Changes
Once you've updated the configuration file, restart the Issuer container to apply the changes:
Code Block language bash ./stop.sh && \ ./start.sh
Verify the Changes
SATOSA
After restartingthe Issuer, verify that the new Trust Marks are correctly applied:
Code Block language bash curl -k -s https://<issuer-host>:8000/.well-known/openid-federation | cut -d '.' -f2 | tr '_-' '/+' | base64 -d 2>/dev/null | jq .
Look for the updated trust_marks in the JSON response.
Testing Trust Marks
Decode JWT: Use tools like
jwt.io
to inspect the Trust Mark's claims and ensure all required fields are present.Verify Signature: Validate the JWT signature against the Trust Mark Issuer's public key.
Check Expiration: Ensure the
exp
claim (if present) has not expired.Validate References: Follow the
ref
URL (if provided) to confirm compliance with human-readable policy documents.
...