Lesson 1 — What is OpenID Federation?

The Problem

Imagine a world where every application that needs to verify a user's identity must establish a direct, individual relationship with every identity provider. With 5 apps and 4 identity providers, that's 20 separate connections to configure, secure, and maintain. As the ecosystem grows, the number of bilateral relationships explodes — it's an N × N problem.

OpenID Federation solves this by introducing a trust hierarchy. Instead of every entity connecting to every other, entities join a federation where trust is mediated by a Trust Anchor — a trusted third party at the top of the hierarchy (§1.2). Intermediates can further delegate authority, creating a clean, scalable tree.

See the Difference

Fig. 1aWithout federation — every application authenticates directly against every identity provider. 5 × 4 = 20 bilateral relationships.

Key Takeaway

Without federation, trust relationships grow as N × M (every app times every identity provider). With federation, entities only need to trust the hierarchy — turning it into a linear problem (§4).

Real-World Analogy

Think of international travel. Countries don't individually verify every traveler — they trust the passport system. Your country (Trust Anchor) issues your passport, and other countries trust that authority. Federation works the same way: entities trust the issuing authority rather than individually verifying every peer.

Key Terms Introduced

Multilateral Federation

Abstract

Federation where bilateral agreements are impractical; trust is mediated by a trusted third party.

Entity

Section 1.2

Something with separate and distinct existence that can be identified in a context.

Entity Identifier

Section 1.2

A globally unique URL using the https scheme with a host component. MAY contain port and path. MUST NOT contain query parameter or fragment components.

Trust Anchor

Section 1.2

The top-level authority in a federation. Every Trust Chain ends at a Trust Anchor. Represents a trusted third party whose keys are distributed out-of-band.

Trust

Section 1.2

Cryptographic assurance verified through signed statements up a chain of authority.

Scalability

Abstract

Federation turns the N-squared bilateral problem into a linear, hierarchical one.