SPID/CIE OIDC Federation

This testbed is based on the Italian federation implementation: https://github.com/italia/spid-cie-oidc-django.

It consists of the following entities:

• a trust anchor → https://trust-anchor.testbed.oidcfed.incubator.geant.org/
  • embedded OP (SPID) → https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/op/ 
    metadata: https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/op/.well-known/openid-federation?format=json
  • embedded RP → https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/rp/
    metadata: https://trust-anchor.testbed.oidcfed.incubator.geant.org/oidc/rp/.well-known/openid-federation?format=json
• an RP → https://relying-party.testbed.oidcfed.incubator.geant.org/
  metadata: https://relying-party.testbed.oidcfed.incubator.geant.org/.well-known/openid-federation?format=json
• an OP (CIE) → https://cie-provider.testbed.oidcfed.incubator.geant.org/oidc/op/
  metadata: https://cie-provider.testbed.oidcfed.incubator.geant.org/oidc/op/.well-known/openid-federation
• a PHP RP → https://relying-party-php.testbed.oidcfed.incubator.geant.org/
  metadata: https://relying-party-php.testbed.oidcfed.incubator.geant.org/.well-known/openid-federation?format=json
• a GO RP → https://gorp.testbed.oidcfed.incubator.geant.org
• a GO intermediate authority → https://go-ia.testbed.oidcfed.incubator.geant.org

The RP implemented in PHP is based on the implementation from https://github.com/italia/spid-cie-oidc-php.

The GO RP and TA use this implementation: https://github.com/zachmann/go-oidcfed

Example metadata: https://relying-party-php.testbed.oidcfed.incubator.geant.org/.well-known/openid-federation?format=json

Fedservice example

Repo: https://gitlab.geant.org/TI_Incubator/oidcfed/fedservice

This testbed is based on the example implementation from https://github.com/rohe/fedservice.

It consists of the following entities:

• two trust anchors
  • SEID → https://seid.fedservice.testbed.oidcfed.incubator.geant.org
  • SWAMID → https://swamid.fedservice.testbed.oidcfed.incubator.geant.org
• two intermediate federation entities:
  • LU → https://lu.fedservice.testbed.oidcfed.incubator.geant.org
  • UMU → https://umu.fedservice.testbed.oidcfed.incubator.geant.org
• two RPs
  • RPa (with automatic registration) → https://auto.fedservice.testbed.oidcfed.incubator.geant.org
  • RPe (with explicit registration) → https://expl.fedservice.testbed.oidcfed.incubator.geant.org
• an OP
  • OP → https://op.fedservice.testbed.oidcfed.incubator.geant.org

The trust relationships are depicted below.

 Inter-federation logins

Establishing trust between entities from different federations is possible if a valid trust can be constructed between the two entities.

In the existing testbeds, the trust anchor in the Italian federation was added as a trust anchor for the OP in Roland's example federation, making it possible that all RPs in the Italian federation could authenticate users from OP.

 eduGAIN-like trust fabric

This testbed mimics a real-world scenario, consisting of the eduGAIN federation, a number of national federations, and all the leaf entities that are currently part of eduGAIN, as well as the national federations.

• eduGAIN as root TA: https://edugain.testbed.oidcfed.incubator.geant.org/
• the following national federations:
  • Delos Federation (Greece): https://delos.testbed.oidcfed.incubator.geant.org
  • Hungarian Research and Educational Federation: https://eduidhu.testbed.oidcfed.incubator.geant.org 
  • HAKA (the identity federation of the Finnish universities): https://haka.testbed.oidcfed.incubator.geant.org
  • InCommon Federation in the US: https://incommon.testbed.oidcfed.incubator.geant.org
  • UK Access Management Federation
    for Education and Research: https://ukfederation.testbed.oidcfed.incubator.geant.org
• 5440 OpenId Connect Providers
• 3601 Relying Parties

Example metadata: https://oidcfed.sa5vopaas.utr.surfcloud.nl/leafs/fe37e407801ede6bc262eed7bf00a54f4c33e890/.json

The entire federation was exported as .dot file via ofcli and visualised below.