T3.1A OpenID Connect Federation

Description

Carry out development based on OpenID Connect (OIDC), specifically for extending the standard to make OIDC “federation and interfederation capable” (i.e. OIDC metadata, discovery, etc.), including engaging with and contributing to the IETF and developing a potential OIDC profile for eduGAIN.

Results

OIDCfed

During the GN4-2 the OpenID Connect Federation specification (from here on openid-federation) was implemented and had a major rewrite. At the same time a profile targeted to R&E identity federations was drafted.

The work on the specification consisted in both supporting the main editor, Roland Hedberg, and engaging with multiple R&E communities in order to collect needs, feedback and suggestions.

Specification

• Latest published draft: https://openid.net/specs/openid-connect-federation-1_0.html
• Tracker and working on edition: https://github.com/rohe/oidcfederation

Identity Federation profile (the "SWAMID/Amsterdam profile")

• https://github.com/OpenIDC/fedoidc/blob/master/doc/profile/swamid.rst

OIDCFed implementations and tools:

• library and example implementations of openid-federation draft 0.4:
  • https://github.com/OpenIDC/fedoidc
• library and example implementations of openid-federation draft 0.5:
  • https://github.com/rohe/fedservice
• proof-of-concept OIDC federation using the SWAMID/Amsterdam profile:
  • https://github.com/rohe/oidc-swamid-federation
• Registry application for OpenID Connect federations and entities (REGO)
  • https://github.com/daserzw/rego

OIDC Support in Shibboleth

In the GN4-2 a full plugin for OIDC in Shibboleth is build. The code was build in agreement with the Shibboleth developers, and reached beta status 

Code & Background - https://github.com/CSCfi/shibboleth-idp-oidc-extension

The beta release - https://github.com/CSCfi/shibboleth-idp-oidc-extension/releases/tag/v0.8.0b

Training material

• 15 october 2018 @ Orlando, FL, USA (Technology Exchange): https://wiki.eduuni.fi/pages/viewpage.action?pageId=75756004
• 11 & 12 october @  Amsterdam, NL https://wiki.eduuni.fi/display/CSCHAKA/181211-12+@+Shibboleth+OIDC+Extension+Tutorial

OpenID Foundation R&E Working Group

Project participants of the OIDCfed task members were one of the founding members of the OpenID Foundation R&E Working Group, founded in Oct 2018, in order to get a broader base for the OIDC work within R&E, with focus on: 

• Developinga profile for OpenID Connect with specific requirements for security, multi-lateral trust and interoperability in the R&E sector.
• Developing  a profile for the use of a specific set of claims and scopes related to the R&E sector.
• Developing  a profile for extending OpenID Connect entity's metadata to support policy frameworks used in the R&E sector.

Charter: https://github.com/daserzw/oidc-edu-wg/releases/tag/v1.0.0

WG Homepage:  https://openid.net/wg/rande/

OpenID Connect training

During the GN4-2 project instances of the OJOU (OAuth2, JW*, OpenID Connect and UMA) Course were held in Espoo (fi), Budapest (hu) and Rome (it), which focussed on the fundamental basics of OpenID Connect and it's underlying protocols.

Course material: https://github.com/rohe/ojou_course

Documents

• Meeting Notes Design Meeting Copenhagen, September 15, 2018: Meeting notes Copenhagen September 15th.docx

Reference Materials

• Course material for a course in OAuth2, JW*, OpenID Connect and UMA

• Draft OpenID Connect Federation 
• Example implementation of the OIDC Federation 
• OTTO - Open Trust Taxonomy for Federation Operators,  minutes Kantara WG  

• OIDC Mailinglist (GEANT) - The current mailinglist for discussion on the OIDC Federation draft (Federation perspective)
• OIDC specifications (Open ID Foundation) - The current mailinglist for discussion on the OIDC Federation draft (OpenID Connect perspective)

Attachments

Attachments