As part of my participation in the GEANT Trust and Identity Incubator project, I had the opportunity to implement the OpenID Federation specification in SimpleSAMLphp. This project involved working on the oidc module of SimpleSAMLphp, enhancing its capabilities by introducing automatic client registration capabilities, a significant feature in the OpenID Federation specification.

Overview of the Project

The main objective of the project was to extend the SimpleSAMLphp OIDC module (available here) to support the OpenID Federation specification.

This implementation was done by developing a dedicated library that included essential tools such as Trust Chain and metadata resolution. The resulting library can be found here.

Key Features Implemented

  1. Automatic Client Registration:
    • This feature allows Relying Parties to register automatically, provided they meet the federation’s trust requirements.
    • Trust Chains were validated and used to determine the eligibility of RPs for registration, ensuring secure and streamlined onboarding.
  2. Trust Chain Resolution:
    • Developed mechanisms to dynamically fetch, resolve, and validate entity configurations and subordinate statements using authority hints.
    • The library incorporates caches for efficient entity configuration and Trust Chain management.
  3. Federation Endpoints:
    • New federation-specific endpoints were introduced in oidc module for issuing entity statements

Ensuring compatibility with other OpenID implementations was crucial. This involved extensive testing and validation using various tools, including testbed environments provided by the Incubator.

Demonstration and Future Prospects

The module was tested in real-world scenarios, showcasing its capabilities in integrating Relying Parties into federated ecosystems. The implementation paves the way for broader adoption of OpenID Federation in education and research communities.

With the OpenID Federation standard gaining traction, this work contributes to advancing interoperability, security, and automation in identity federation systems. Future development may involve extending this implementation to other systems and enhancing the scalability of the solution.

I had the privilege to present the outcomes during the GEANT Incubator’s Public Sprint Demo on December 17, 2024. The recording is available here: https://surfdrive.surf.nl/files/index.php/s/bzO4H037LWQ7P4w