Lesson 2 of 15
FoundationΒ·Lesson 2

πŸ›οΈ Entities & Roles

The hierarchy of players in a federation

The Hierarchy β€” Click Any Node

Every federation is organized as a hierarchy.[1] At the top sits the Trust Anchor, which may delegate authority to Intermediate Entities, who in turn manage Leaf Entities β€” the OpenID Providers, Relying Parties, and other services that participate in the federation.

Federation hierarchy diagramTrust AnchorIA AIA BOPRPASRS

Multi-Federation Membership

An entity MAY have multiple Entity Types[2] and can be a member of multiple federations simultaneously. For example, a university identity provider might participate in both a national education federation and a research consortium federation, each with its own Trust Anchor.

Entity Types at a Glance

Trust Anchor
Root of Trust
Every Trust Chain ends at a Trust Anchor. It is the top-level authority that publishes its own Entity Configuration and issues Subordinate Statements for its direct subordinates.
Intermediate Entity
Middle Layer
Issues Entity Statements appearing between those issued by the Trust Anchor and the subject of a Trust Chain. Can enforce metadata policies and delegate further.
OpenID Provider
openid_provider
A login server where users authenticate. As a Leaf Entity, it MUST NOT publish federation_fetch_endpoint or federation_list_endpoint.
Relying Party
openid_relying_party
An application or service that needs to verify user identity. Relies on an OpenID Provider for authentication.
OAuth Authorization Server
oauth_authorization_server
Issues access tokens for protected resources. Similar to an OP but for OAuth2 flows rather than OIDC.
Resource Server
oauth_resource
Hosts protected resources and validates access tokens. Declares which authorization servers it trusts.
OAuth Client
oauth_client
An application that requests access to protected resources on behalf of a resource owner.
Federation Entity
federation_entity
Used for federation infrastructure metadata β€” endpoints like fetch, list, resolve, and trust mark management.

Sources & References

  1. OpenID Federation 1.0, Section 1.2 β€” Terminology
  2. OpenID Federation 1.0, Section 5 β€” Metadata