Versions Compared

Old Version 29

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Disclaimer:
This document is a work in progress and subject to further refinements and updates. Please note that some details may change as new requirements emerge or as part of ongoing development. Feedback and suggestions for improvement are welcome.

...

Table of Contents

This guide explains how to connect your Issuer to the Trust Infrastructure, including detailed instructions on configuring the setup with specific values provided for the interoperability lab.

...

  1. Trust Anchor URL:

  2. Trust Anchor Keys: Add the Trust Anchor’s  and public keys to your configuration: 

    Code Block
    languageyml
    trust_anchors:
  https://openidfed-test-1.sunet.se:7001:
    keys:
      - kty: RSA
        use: sig
        kid: UFpoajluZU42dTNUUXo5RnhBVEJnRk9JY2NtU1JKdlVYUk1RUFRyVkFFRQ
        n: p9S2whcSjmBdxerp80tIJreUUmZiGNGXIocJlNjx9pgD5_WD2l6mBNuEZMpP-QUB_TSV3VesNiqmOdydGp1wkfQ-NmVdoso29FjEdgrckLIwirAVmVQ6bGQQnXJrR56mRz0QqENi11vVpbDj6hsprxK1EZBQL-sQ2kem289B_BCNT-NvwVHrYJlaQA32z7cs1a7W8wt9eLxA10PeiYMgDVU_69wKBw4YrjjozOHKMRGchUQEjQhfSZfk49bip_5TNz4dmBmSCIbdE2yilFrfRSNrh7q2myuyDE3k2QZbSOXXGGT1LtHO74WIY58v-M3A7_zxp0f2Eo9ZD3N4h-InIw
        e: AQAB
      - kty: EC
        use: sig
        kid: Nm82cTJKMDkydXhxOUMtTm0teFpMWlZiR0ZVa2U3YVVtbkJTV3hBd3FqOA
        crv: P-256
        x: 69XlQkKYfWJDXAv_Vbrqyfz9gfAhu1qQ4mtLde18-Cg
        y: ntBwdhy4_cS2PRBS-xdKkNwcO1yQP8TdoOHbHN9Yjv8


  3. Purpose: Trust Anchors validate Trust Marks’ signatures and establish trust within the Trust Infrastructure.

Registering the Issuer as a Subordinate Entity

In the Trust Infrastructure, the Issuer must be registered as a Subordinate Entity under a Superior Entity (e.g., a Trust Anchor or an Intermediate Entity). This ensures the Issuer's formal inclusion in the trust hierarchy.

Key Steps for the Issuer Operator

Publish Metadata

Make the Issuer's metadata available at the following URL:
https://<issuer-entity-id>/.well-known/openid-federation

Generating the Issuer Registration Document


...

Authority Hints

The authority_hints parameter specifies the URL of the Intermediate Entities or Trust Anchors that are Immediate Superiors of the Entity.  This helps other Trust Infrastructure participants understand upstream trust relationships.

  1. Add to Configuration: Add authority_hints in your issuer’s metadata configuration: 

    Code Block
    languageyml
    authority_hints:
  - "https://openidfed-test-1.sunet.se:7001"

  2. Purpose: This parameter establishes hierarchical trust relationships from your issuer to the Trust Anchor.

...

Registering the Issuer as a Subordinate Entity

In the Trust Infrastructure, the Issuer must be registered as a Subordinate Entity under a Superior Entity (e.g., a Trust Anchor or an Intermediate Entity). This ensures the Issuer's formal inclusion in the trust hierarchy.

Generating the Issuer Registration Document

To register the Issuer with the Trust Infrastructure, you need to create a JSON document containing the Issuer’s public keys. You can do this manually or To register the Issuer with the Trust Infrastructure, you need to create a JSON document containing the Issuer’s public keys. You can do this manually or by using a one-liner command to automate the process. Choose the method that best suits your setup

...

For users who prefer a quick and automated approach, use this single command to generate the JSON document:

Replace "https://issuer.example.com" with the actual Issuer Entity URI.

Code Block
languagebash
issuer_entity_uri="https://issuer.example.com" && jq --arg uri "$issuer_entity_uri" '{($uri): {"entity_types": ["federation_entity", "openid_credential_issuer", "oauth_authorization_server"], "jwks": .}}' satosa/public/pid_fed_keys.json > issuer_registration.json

Final Step: Send the Document

Once the file issuer_registration.json is created using either method, send it to:
support@dc4eu.eu

Authority Hints

The authority_hints parameter specifies the URL of the Intermediate Entities or Trust Anchors that are Immediate Superiors of the Entity.  This helps other Trust Infrastructure participants understand upstream trust relationships.

Add to Configuration: Add authority_hints in your issuer’s metadata configuration: 

Code Block
languageyml
authority_hints:
  - "https://openidfed-test-1.sunet.se:7001"

...

, "jwks": .}}' satosa/public/pid_fed_keys.json > issuer_registration.json

Final Step: Send the Document

Once the file issuer_registration.json is created using either method, send it to:
support@dc4eu.eu

...

Trust Marks

Trust Marks are JWTs issued by a Trust Mark Issuer to validate compliance with Trust Infrastructure policies.

...

  • EHIC Credential:

    • ID: http://dc4eu.example.com/EHICCredential/se

  • PDA1 Credential:

    • ID: http://dc4eu.example.com/PDA1Credential/se

Retrieving Trust Marks

For now, Trust Marks will be supplied when the entity is added to the Trust Infrastructure.

...

  1. Configure the Issuer:

    • Update the Issuer’s configuration to include authority_hints, trust_marks, /.well-known/openid-federation, and  and trust_anchors.

  2. Register with the Trust Infrastructure:

    • Share your .well-known/openid-federation endpoint issuer_registration.json with the Trust Anchor or superior entity for registration.

  3. Validate Configuration:

    • Test the issuer using testing tools or with a sandbox environment.

  4. Monitor the Connection:

    • Regularly verify the status and ensure Trust Marks are up-to-date.

...