Entity Statements¶
The basic component for building a Trust Chain is the Entity Statement (ES), a signed JWT that contains the Federation public keys of a subordinate Entity (subject) and further data used to control the process of Trust Chain resolution.
An Entity publishes an ES related to a subordinate, at its Fetch Endpoint. The superior Entity MAY define the Metadata policy for a subject and publishes the TMs that it has issued for it.
Entity Statement Signature¶
The same considerations made for the ECs and reported in the section Firma della Entity Configuration, apply.
Entity Statement¶
The ES issued by the TA or by an Intermediate for its own direct subordinates, MUST contain the following attributes:
Claim |
Description |
Supported by |
|---|---|---|
iss |
See OIDC-FED Section 3.1 for further details. |
|
sub |
See OIDC-FED Section 3.1 for further details. |
|
iat |
See OIDC-FED Section 3.1 for further details. |
|
exp |
See OIDC-FED Section 3.1 for further details. |
|
jwks |
Federation JWKS of the sub entity. See OIDC-FED Section 3.1 for further details. |
|
metadata_policy |
JSON Object that describes the Metadata policy. Each key of the JSON Object represents an identifier of the type of Metadata and each value MUST be a JSON Object that represents the Metadata policy according to that Metadata type. Please refer to the OIDC-FED specifications, Section-5.1, for the implementation details. |
|
trust_marks |
JSON Array containing the Trust Marks issued by itself for the subordinate subject. |
|
constraints |
It MAY contain the allowed_leaf_entity_types, that restricts what types of metadata a subject is allowed to publish. |
|
Metadata Policy¶
Trust Anchors and Intermediates (SAs) MUST publish a policy regarding their respective descendants in the Entity Statement referring to them. The Metadata Policy MUST cascade to all descendants.
TA Metadata Policy for RP¶
The following claims MUST be considered in the metadata parameter of type openid_realying_party within the policy that the TA establishes for an RP.
Claim |
Operations / Values |
Supported by |
|---|---|---|
jwks |
Operations: value |
|
grant_types |
Operations: subset_of, superset_of |
|
id_token_signed_response_alg |
Operations: one_of |
|
id_token_encrypted_response_alg |
Operations: one_of |
|
id_token_encrypted_response_enc |
Operations: one_of |
|
userinfo_signed_response_alg |
Operations: one_of |
|
userinfo_encrypted_response_alg |
Operations: one_of |
|
userinfo_encrypted_response_enc |
Operations: one_of |
|
token_endpoint_auth_method |
Operations: one_of |
|
client_registration_types |
Operations: subset_of |
|
redirect_uris |
Operations: |
|
client_id |
Operations: |
|
response_types |
Operations: value |
|
TA Metadata Policy for SA¶
The following claims MUST be considered in the metadata parameter of type openid_relying_party within the policy that the TA establishes for a SA. This policy MUST be cascaded to the metadata of the direct descendant (RP aggregate) of the SA.
Claim |
Operations / Values |
Supported by |
|---|---|---|
grant_types |
Operations: subset_of, superset_of |
|
id_token_signed_response_alg |
Operations: one_of |
|
id_token_encrypted_response_alg |
Operations: one_of |
|
id_token_encrypted_response_enc |
Operations: one_of |
|
userinfo_signed_response_alg |
Operations: one_of |
|
userinfo_encrypted_response_alg |
Operations: one_of |
|
userinfo_encrypted_response_enc |
Operations: one_of |
|
token_endpoint_auth_method |
Operations: one_of |
|
client_registration_types |
Operations: subset_of |
|
redirect_uris |
Operations: |
|
client_id |
Operations: |
|
response_types |
Operations: value |
|
SA Metadata Policy for RP¶
The following claims MUST be considered in the metadata parameter of type openid_relying_party within the policy that the SA establishes for an RP its direct descendant (Aggregate).
Claim |
Operations / Values |
Supported by |
|---|---|---|
jwks |
Operations: value |
|
TA Metadata Policy for OP¶
Di seguito vengono riportati i claim che DEVONO essere considerati nel parametro metadata di tipo openid_provider all'interno della policy che il TA stabilisce per un RP suo discendente diretto.
Claim |
Operarations / Values |
Supportato da |
|---|---|---|
jwks |
Operarations: value |
|
revocation_endpoint_auth_methods_supported |
Operarations: subset_of |
|
code_challenge_methods_supported |
Operarations: subset_of |
|
scopes_supported |
Operarations: subset_of, superset_of |
|
response_types_supported |
Operarations: subset_of |
|
response_modes_supported |
Operarations: subset_of, superset_of |
|
grant_types_supported |
Operarations: subset_of, superset_of |
|
acr_values_supported |
Operarations: subset_of, superset_of |
|
subject_types_supported |
Operarations: subset_of |
|
id_token_signing_alg_values_supported |
Operarations: subset_of, superset_of |
|
id_token_encryption_alg_values_supported |
Operarations: subset_of, superset_of |
|
id_token_encryption_enc_values_supported |
Operarations: subset_of, superset_of |
|
userinfo_signing_alg_values_supported |
Operarations: subset_of, superset_of |
|
userinfo_encryption_alg_values_supported |
Operarations: subset_of, superset_of |
|
userinfo_encryption_enc_values_supported |
Operarations: subset_of, superset_of |
|
token_endpoint_auth_methods_supported |
Operarations: subset_of |
|
token_endpoint_auth_signing_alg_values_supported |
Operarations: subset_of, superset_of |
|
claims_parameter_supported |
Operarations: value |
|
request_parameter_supported |
Operarations: value |
|
authorization_response_iss_parameter_supported |
Operarations: value |
|
client_registration_types_supported |
Operarations: subset_of |
|
request_authentication_methods_supported |
Operarations: value |
|
request_authentication_signing_alg_values_supported |
Operarations: value |
|
request_object_signing_alg_values_supported |
Operarations: subset_of, superset_of |
|
issuer |
Operarations: |
|
authorization_endpoint |
Operarations: |
|
token_endpoint |
Operarations: |
|
userinfo_endpoint |
Operarations: |
|
introspection_endpoint |
Operarations: |
|
revocation_endpoint |
Operarations: |
|