Page tree
Skip to end of metadata
Go to start of metadata




  • Reports on TIIME
  • Set the direction for the development of the signing service
  • Pilots?

Discussion items

  • Lot of interest on OIDCFed, plenty of people during the discussions
  • Shibboleth OIDC extension: some interest, but to have it taken into consideration for testing it needs the authorization code flow – due in mid march

Endpoints and processes for the signing service:

# 1. Enrollment

Out of band connection

get an access_token in order to use the MDSS

#  2. Metadata_statements creation/update

##  metadata_statements signing request ENDPOINT

(OAuth2 protected)

POST /mdss/entity


    "signing_keys": ...,

    "claims": ...,

    "access_token": ...


return a signed metadata_statement and the entity ID

## Update signing_keys in the metadata_statement ENDPOINT

(OAuth2 protected)

PUT /mdss/entity/id

JSON payload


 "signing_keys": ...


return a signed metadata_statement

## Update claims in the metadata_statement ENDPOINT

(OAuth2 protected)

PUT  /mdss/entity/id

json payload

return a signed metadata_statement

# 3. Get a  (resigned) metadata_statement ENDPOINT


GET  /mdss/entity/id

return a metadata_statement signed by the MDSS_FO

GET  /mdss/entity/id?superiors=[sup1,sup2]

return an ms signed by the MDSS_FO plus the inner ms

# 4. Superior

Out of band configuration

We need the signing service before enrolling organizations into pilots.

Action items

  • Davide Vaghetti will refactor the current fedoidc_ss into mdss following the above description