[Openid-specs-ab] Issue #2122: Allow metadata policy in Trust Anchor Entity Configuration (openid/connect)

[Stefan Santesson]

New issue 2122: Allow metadata policy in Trust Anchor Entity Configuration
https://bitbucket.org/openid/connect/issues/2122/allow-metadata-policy-in-trust-anchor

Stefan Santesson:

I think I have found the best approach so far to allow federation interconnection without creating policy merge conflicts.

Figure 1 actually shows how to do it:

Trust Anchor B in this illustration chains to the RS under Trust Anchor A without having to include the policy of Trust Anchor A in its chain validation. This is done by bypassing the policy set by Trust Anchor A by a direct link from Trust Anchor B to the Intermediate under Trust Anchor A.

‌

Well, this could be done even on the TA level IF the TA would be allowed to specify metadata policy also in its Trust Anchor Entity Configuration. 

The provided image illustrates that metadata policies expressed in the Entity Configuration of the TA will only be processed by those actually using TA A as its trust anchor. Anyone chaining to another Trust Anchor further up will not include the policy in the Entity Configuration.

This creates the same by-pass effect as in Figure 1, but instead of having to do this on all entities under TA 1, we can now do it for all entities under TA 1 in one go.

‌

I therefore propose that we can solve this long debated issue by simply allowing TA to set policy both in its Entity Configuration AND in individual Entity Statements for individual subordinates.

The difference is that policy in TA Entity Configuration will apply to all subordinates, but only when you chain to TA A as your trust anchor which terminates the chain in the Entity Configuration of the TA.

A policy in an individual Entity Statement on the other hand only applies to that subordinate entity and its subordinates. But this policy gets processed also when the chain terminates in another superior Trust Anchor \(as illustrated\).