Products » Connect2id server » Documentation » Guides »

OpenID Connect Federation 1.0 provider configuration

This is a guide how to configure the Connect2id server for operation as an OpenID Connect Federation 1.0 compliant OpenID provider.

1. Federation entity keys

Generate and configure a JSON Web Key (JWK) set to represent the federation entity keys of the OpenID provider. Note, these keys are separate and independent from those used for OAuth 2.0 and OpenID Connect purposes.

The set will consist of a single RSA key which the Connect2id server will use to sign its federation entity configuration made available at the /.well-known/openid-federation endpoint.

New keys can be periodically added to the JWK set to perform key rollover.

The new federation entity key (only the public one!) must then be registered with the federation authority (there can be more than one) where the Connect2id server is enrolled in a OpenID provider role.

2. Federation configuration

Enable OpenID Connect Federation 1.0 and set at least one trust anchor and one authority hint. The remaining configuration settings, such as any assigned trust marks, are optional.

Example federation configuration:

op.federation.enable=true
op.federation.clientRegistrationTypes=explicit,automatic
op.federation.autoClientAuthMethods.ar=request_object
op.federation.autoClientAuthMethods.par=private_key_jwt,self_signed_tls_client_auth
op.federation.organizationName=Trusted IdP
op.federation.trustAnchors.1=https://federation.example.com
op.federation.authorityHints.1=https://federation.example.com

To verify the configuration check the Connect2id server log. At startup the server will log the configured federation entity settings and the loading of the federation entity keys.

Example startup log, the OP0040 identifier can be used to locate the start of the section:

INFO main MAIN - [OP0040] OpenID Connect Federation: Enabled: true
INFO main MAIN - [OP0041] OpenID Connect Federation: Client registration types: [explicit, automatic]
INFO main MAIN - [OP0055] OpenID Connect Federation: Auto client authentication methods: {pushed_authorization_request_endpoint=[private_key_jwt, tls_client_auth, self_signed_tls_client_auth], authorization_endpoint=[request_object]}
INFO main MAIN - [OP0042] OpenID Connect Federation: Organization mame: My IdP
INFO main MAIN - [OP0043] OpenID Connect Federation: Authority hints: [https://federation.example.com]
INFO main MAIN - [OP0044] OpenID Connect Federation: Trust anchors: [https://federation.example.com]
INFO main MAIN - [OP0045] OpenID Connect Federation: Constraints: Max path length: 2
INFO main MAIN - [OP0046] OpenID Connect Federation: Constraints: Permitted: []
INFO main MAIN - [OP0047] OpenID Connect Federation: Constraints: Excluded: []
INFO main MAIN - [OP0053] OpenID Connect Federation: HTTP request timeout: 500ms
INFO main MAIN - [OP0054] OpenID Connect Federation: HTTP read timeout: 500ms
INFO main MAIN - [OP0048] OpenID Connect Federation: Contacts: null
INFO main MAIN - [OP0056] OpenID Connect Federation: Logo URI: https://demo.c2id.com/logo.png
INFO main MAIN - [OP0049] OpenID Connect Federation: Policy URI: https://demo.c2id.com/policy.html
INFO main MAIN - [OP0050] OpenID Connect Federation: Homepage URI: https://demo.c2id.com
INFO main MAIN - [OP0051] OpenID Connect Federation: Trust marks: none
INFO main MAIN - [OP0052] OpenID Connect Federation: Issued entity statement lifetime: 604800s
INFO main MAIN - [OP0053] OpenID Connect Federation: Auto client lifetime: 3600s
INFO main MAIN - [SE1021] Loaded JWK set from /WEB-INF/federationJWKSet.json file resource with 1 keys

To verify the published federation entity configuration for the OpenID provider check the content of the signed JWT at the .well-known/openid-federation URL. The claims that go into the JWT are explained in the specification.

3. Debugging trust chain resolution

Every time the Connect2id server receives a request from a federation entity that triggers a chain resolution to find out if the client is allowed to proceed the server will log the process.

Example trust chain resolution for an automatic client at the PAR endpoint:

INFO PAR - HTTP POST request: ip=192.168.0.1 path=/c2id/par/
INFO FED-REG - [OP8025] Resolved 1 trust chains (automatic client):
INFO FED-REG - [OP8026] Trust chain [1] anchor (automatic client): https://federation.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] entity (automatic client): http://rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][1] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8026] Trust chain [1][2] entity (automatic client): https:///rp.example.com
INFO FED-REG - [OP8026] Trust chain [1][2] statement (automatic client): {"sub":"https://rp.example.com",...
INFO FED-REG - [OP8013] Selected trust chain for entity ID https://rp.example (automatic client) with anchor https://federation.example.com and exp 2022-12-30T17:59:15.000+0200
INFO FED-REG - [OP8018] Received automatic registration request from https://rp.example.com with authorities [https://federation.example.com]
INFO FED-REG - [OP8051] Effective metadata RP policy for entity ID https://rp.example.com: {"grant_types":{"subset_of":["authorization_code","refresh_token"]}}
INFO FED-REG - [OP8014] Registered entity ID https://rp.example.com as automatic client with client_id=https://rp.example.com exp=1672415955
INFO PAR - [OP6204] Confidential client authenticated: client_id=https://rp.example.com method=private_key_jwt client_auth_id=tGt9YYlamOgzo0Ra