Basic architecture
The 'trust' architecture for deploying OID Fed in context of reserach and education federatiosn and eduGAIN is assumed to have Trust Anchors, Intermediates and Leafs (OR/RP) as defined in the OpenID Federation Terminology
National Federations
National federations act both as Intermediates as well as Trust Anchors at the same time. Some Leaf entities may choose to only use the local, national federation as their trust context, in which case the national federation acts as the Trust Anchor. Others may want to make use of eduGAIN for cross-national transactions, in which case eduGAIN will be a Trust Anchor as well. The national federations offer a list of all the Leafs and Intermediates they have registered via the subordinates endpoint. This endpoint may also be used for discovery.
Each National Federation provides a resolver
eduGAIN Components
We assume 1 eduGAIn and 5 national feds
- TA -> Roland testbed - We setup the intermedats manually
- Intermediate - Gabriels codebase includign the registration API
- TM issuers
- TMs
- eduGAIN - Only national intermediates
- National Fed Level Trustmark - Discovery, easier to resolve as compared to trust chain
- REFEDs SirtFi - must be on national level.
- VO membership - Independent TM
- RPs -> Go implementation
- OPs?
- SSP (Marko) - Would a proxy also work with the SP side in a SAML fed?
- Shib OP
- Rolands OP
- Can we proxy based on existng SAML IdPs? yes via SSP or SaToSa. - Ask Roland for readyness
You may bring your own, but you are on your own, we will not supportDo we also inject existing fed members (based on SAML metadata ) into the national federations?
- Yes but in a different setup- Resolver: Most important for RPs as this will simplify RP life.