Lesson 5 — Trust Chain Resolution | Learn OpenID Federation

Watch the Algorithm

Trust Chain Resolution is the process of fetching and assembling all the Entity Statements needed to build a complete chain from a leaf entity to a Trust Anchor (§10). The most common approach is bottom-up resolution, which follows authority_hints upward.

Step 1 of 11

1. Fetch Leaf's Entity Configuration

GETYou → login.uni.edu/.well-known/openid-federation

Fetching leaf's Entity Configuration...

SecuritySecurity consideration

Resolvers MUST NOT attempt to re-fetch an Entity Statement already obtained during the resolution of a single Trust Chain. If a cycle is detected, that authority_hint MUST be abandoned — following it further would cause unbounded recursion and a denial of service against the resolver.

§10.1

Three Ways to Resolve

Bottom-Up Resolution

Most Common

Section 17.2.1

Fetch the subject's Entity Configuration, read authority_hints, fetch superiors' Entity Configurations, use their federation_fetch_endpoint for Subordinate Statements, repeat until you reach a pre-trusted Trust Anchor. Then validate the chain and apply metadata policies.

Top-Down Discovery

Discovery / Enumeration

Section 17.2.2

Query the Trust Anchor's List endpoint to get subordinate Entity IDs, filter by entity_type, recursively list Intermediates' subordinates. Useful for enumerating all entities in a federation.

Resolve Endpoint

Shortcut

Section 8.3

Send the subject Entity ID and trust_anchor to a resolver's federation_resolve_endpoint. Get back pre-resolved metadata and the full trust chain in a single response.

Real-World Analogy

It's like calling to verify someone's employment. You call the university to confirm the professor works there — they say their accreditation comes from the National Education Board. You call the Board, who confirms. Bottom-up: start with the person, climb up until you reach an authority you already trust.