Resources

Part 5: Automated Trust: OpenID Federation & CDR-Style Accreditation

Identity AI Agent
Profile picture of SecureAuth Technology Team
SecureAuth Technology Team
July 15, 2025
8 min read

Introduction

In modern agentic AI systems, autonomous agents often need to access data or services across organizational boundaries. Establishing mutual trust between an enterprise and an external AI or SaaS provider is critical, especially as frameworks like the Model Context Protocol (MCP) emerge to connect AI assistants with enterprise data sources. (MCP is an open standard enabling secure, two-way connections between data sources and AI-powered tools.) In Part 4 of this series, we covered Dynamic Client Registration (DCR) and trust registries as a semi-automated way to onboard trusted clients. Now in Part 5, we evolve to OpenID Federation 1.0, a specification designed for fully automated, policy-governed trust establishment at scale.

OpenID Connect Federation 1.0 (OIDF 1.0) provides a standardized mechanism for parties with no prior direct relationship to dynamically establish trust based on digital signatures and agreed trust anchors. In essence, it allows an Identity Provider (IdP) and a Relying Party (RP) to accept each other’s identity assertions without manual pre-registration, by leveraging signed federation metadata and trust chains. This approach is well-suited to agentic AI and MCP integrations, where an enterprise IdP, AI service, and other SaaS components must rapidly form trust relationships under consistent policies. In this article, we provide a primer on OpenID Federation 1.0’s key innovations—from entity statements to trust chains—and illustrate how CDR-style accreditation (as seen in Open Banking/Consumer Data Right) can be implemented through federation policy. We will then explore practical use cases: onboarding an external AI agent via federation, and federating enterprise IdPs for AI delegation across domains.

OpenID Federation 1.0 Primer

OpenID Federation 1.0 extends OpenID Connect by introducing a federation layer for automating trust. The core idea is that every party (whether an IdP/Authorization Server, an RP/Client, or an intermediary authority) is a Federation Entity with its own signed metadata. Key innovations include:

  • Federation Entity & Metadata: Each entity publishes a JSON metadata document, called an Entity Configuration, at a well-known URL (e.g. https://entity.example.com/.well-known/openid-federation). This contains its identity (issuer URL), role (IdP, RP, etc.), cryptographic keys (JWKS), and other OIDC metadata, all self-signed by that entity’s private key. Because the entity signs its own configuration, it can be verified against the entity’s public key (included in the metadata as jwks), forming a base level of authenticity.
  • Entity Statements (Signed Metadata): Trust in OpenID Federation is established by having trusted authorities digitally sign the metadata of other entities. An Entity Statement is a JWT in which an issuer (an authority) asserts the metadata of a subject entity. For example, a federation operator or trust authority can issue a signed statement vouching for a client’s metadata. These statements are chained together to build trust.
  • Trust Chains: A trust chain is a sequence of entity statements (JWTs) linking a leaf entity (the party we want to trust, such as an RP or OP) to a Trust Anchor (a top-level authority everyone in the federation trusts). The leaf entity’s own self-signed configuration forms one link, intermediate authorities provide middle links, and finally a trust anchor provides the final link. Conceptually, this is analogous to a certificate chain in PKI (with trust anchors and intermediates similar to root and intermediate CAs). When the chain is cryptographically valid and the trust anchor is recognized, the two parties can trust each other’s credentials. Notably, trust chains are uni-directional: an RP validating an OP’s chain is one direction, and the OP validating the RP is another. For mutual trust, two trust chains (one in each direction) are needed, ensuring both IdP and client are accredited under a common framework.
  • Automatic Client Onboarding: Federation metadata includes provisions to automate client registration. For instance, an IdP’s metadata can indicate support for automatic registration of clients (via a client_registration_types field set to “automatic”). If an RP presents a valid trust chain, the IdP can accept it and issue tokens without any manual client setup. Similarly, an RP can automatically accept an IdP’s identity tokens if the IdP’s trust chain is valid. This eliminates the cumbersome exchange of static credentials or out-of-band registration, which is vital in dynamic AI-to-service interactions.

In summary, OIDF 1.0 creates a framework where trust is derived from cryptographic assertions and policies rather than prior agreements or hand-configured registries. Next, we delve into how these trust chains are discovered and verified in practice.

Trust Chain Discovery & Validation

Establishing trust via OIDF is all about discovering and validating the trust chain between entities. Let’s walk through how a trust chain is constructed and validated when, for example, an RP (AI client) encounters a new OP (enterprise IdP) it wishes to use:

  1. Entity Configuration Fetch: The RP starts by retrieving the OP’s entity configuration from its well-known URL (appending /.well-known/openid-federation to the OP’s issuer URL). This is a self-signed JWT from the OP containing its metadata and keys. Because it’s self-signed, it proves the OP controls that issuer URL and corresponding keys, but not yet that it’s trusted by any third party.
  2. Read Authority Hints: Inside the OP’s entity configuration, the authority_hints claim lists one or more candidate authorities that vouch for this OP. Think of these as pointers to the OP’s “parent” in a trust hierarchy (or members of a trust mesh). An authority can be a federation operator, trust framework authority, or any entity that has issued a statement about this OP. For example, an OP might list a trust federation URL or an accreditation authority’s entity ID in its authority_hints array, indicating who to ask about its trust status.
  3. Fetch Entity Statement from Authority: The RP then contacts each hinted authority’s federation fetch endpoint to retrieve an entity statement about the OP. (The authority’s fetch endpoint URL is published in its own entity configuration.) Essentially, the RP asks, “Do you have a signed statement for this subject (the OP)?” If the OP is indeed registered with that authority, the authority returns a JWT: an entity statement asserting the OP’s metadata, signed by the authority. This step is repeated iteratively: the RP may now have a statement from an intermediate authority, which itself might have an authority_hints pointing to a higher authority.
  4. Iterate up to Trust Anchor: The RP continues following authority hints up the chain, fetching statements from higher authorities, until it reaches a Trust Anchor. The trust anchor is a top-level authority (with no further parent) that the RP already explicitly trusts. For example, the trust anchor could be a well-known Federation Operator or an industry accreditation body. Once an entity statement from a trust anchor is obtained, the RP has built a complete trust chain from the OP up to this anchor. If one chain of authorities fails (e.g., an authority doesn’t recognize the subject), the RP can try alternate paths if multiple authority_hints were provided.
  5. Validate Signatures and Metadata: Now the RP validates the chain. This involves checking that each JWT in the chain is properly signed by the issuer’s key, that each link’s subject matches the next link’s issuer (forming a continuous chain), and crucially that the final link’s issuer is a trust anchor the RP recognizes. If any signature is invalid or the chain is broken, trust fails. If all signatures check out and the top issuer is trusted, the OP’s metadata is considered verified. At this point, the RP has confidence that the OP is an authorized member of a known federation and that the metadata (including keys, endpoints, etc.) can be trusted.
  6. Apply Policy (if any): During chain validation, the RP (and likewise an OP in reverse) also applies any metadata policy that the authorities have defined. OIDF 1.0 allows authorities to impose a metadata_policy in their statements—rules that constrain or adjust the subordinate’s metadata. For instance, a trust anchor might require that all tokens use specific algorithms or that certain claims be present. The RP will combine any policies from the trust anchor and intermediates and apply them to the OP’s metadata before using it. The effective result is a metadata set that is guaranteed to conform to the federation’s trust framework requirements.
  7. Establish Trust & Use Metadata: After successful validation and policy application, the RP deems the OP trustworthy. The RP can now use the OP’s metadata (e.g. issuer URL, JWKS keys, endpoints) to interact. For example, it can initiate an OIDC flow to this OP, confident that it’s dealing with a legitimate provider. Because the OP’s metadata likely advertised automatic client registration, the RP can even start sending authorization requests immediately—the OP will dynamically accept the RP because the RP itself will present a trust chain in its requests (the reverse direction).

Want to Read More!

Fill the Form Below and Download the complete Content.