OpenID Connect Federation

OpenID Connect FederationWorkshopUNINETT 6. oktober 2017

andreas.solberg@uninett.noAndreas Åkre Solberg

SAML 2.0SP

SAML 2.0IdP

SAML 2.0MetadataAggregate

SAML 2.0SP

SAML 2.0IdP

SAML 2.0MetadataAggregate

eduGAIN

OIDCClient

OIDCProvider

Self-serviceRegistry

OIDCClient

OIDCProvider

Discovery

Registration

Authentication request

Token request

Providermetadata

client config

Metadata

Express something about:

Client (an unregistered one)

Provider

Schema similar to:

OpenID Connect Discovery Response describes a provider

OpenID Connect Dynamic Client registration request describes a client

Using JWS to sign and chain trust to a common root

Signed metadata

Rolands OpenID Connect Federations

Nested metadata

Rolands OpenID Connect Federations

OIDCClient

OIDCProvider

Discovery

Registration

Authentication request

Token request

SignedProvidermetadatasigned client

metadataclientconfig

client_secret

Less state in clients

Complex to deal with expired

Possibility to use vanilla OIDC Core clients.

Use of asymmetric crypto

Proposed changes

OpenID Client requirements

100% vanilla OpenID Connect Core Client should interop with OIDC Fed Provider.

Restrictions on what part of [Core] to use. Typically client authentication using private_key_jwt

The client may want to filter / configure which OP to trust. This can typically be added as a hook in the Discovery process.

Will need to host a well-known static document at client hostname, pointing to a registry or other that issues a signed metadata statement about the client.

OpenID Provider requirements

Single hook where to validate and discover OIDC client metadata.

Typically implement the client configuration store getClientConfig(String client_id) getClientConfig(‘https://client.example.org’)

Will need to publish a signed Metadata Statement along with Provider config at well known location.

Nested MS versus flat list of signed MS. Pros cons?

OpenID Connect Federation

Technology

Tracking changes in Hybrid Identity environments with both ... · •Like WS-Federation, SAML, OAuth2, OpenID Connect ... –Ping Federate Azure AD Connect Deprecated Microsoft Sync

OpenID Connect Summit Transfer of Information

OpenID Connect Update and Discussion

Oauth2 et OpenID Connect

Expertadvies OpenID Connect Ope… · Expertadvies OpenID Connect Forum Standaardisatie | 18 juli 2019 Pagina 7 van 21 3 Toelichting OpenID Connect OpenID Connect (OIDC) is een open

OpenID Connect Working Group and OpenID Certification€¦ · OpenID Connect Working Group and OpenID Certification May 21, 2020 Michael B. Jones Identity Standards Architect –Microsoft

[MS-OIDCE-Diff]: OpenID Connect 1.0 Protocol Extensions... · 2017-06-12 · The OpenID Connect 1.0 Protocol Extensions specify extensions to [OIDCCore] (OpenID Connect Core 1.0)

OpenID Connect - dior.ics.muni.czmakub/oidc/OpenID_Connect_Martin_Kuba.pdf · OpenID Connect a OAuth2 OpenID Connect (dále OIDC) je rozšíření autorizačního protokolu OAuth

[JDLL 2016] OpenID Connect et FranceConnect

OpenID Connect とSCIM エンタープライズ実装ガイ …...OpenID ConnectとSCIMのエンタープライズ実装ガイドライン一般社団法人 OpenIDファウンデーション・ジャパン

OpenID Connect Mobile Connect Profile Version 1.0 17 ... · GSM Association Confidential - Full, Rapporteur, and Associate Members Official Document PDATA.01 - OpenID Connect Mobile

The OpenID Connect Protocol

OAuth 2.0 & OpenID Connect #MA7

[LDAPCon 2015] The OpenID Connect Protocol

OpenID Connect for SSI

OAuth 2.0 e OpenID Connect

Draft: OpenID Connect Core 1.0 - draft 14self-issued.info/docs/openid-connect-core-1_0-14.docx · Web viewOpenID Connect Core 1.0 - draft 14 Abstract OpenID Connect 1.0 is a simple

OpenID Connect - Nat Sakimura at OpenID TechNight #7

OpenID vs Facebook Connect vs FriendConnect

OpenID Connect Update