oidf-structure April 2026
Lindström Informational [Page]
Published:
Author:
M. Lindström
The Swedish Agency for Digital Government (Digg)

Sweden Connect - OpenID Federation Structure - draft 00

Abstract

The Sweden Connect identity federation for OpenID Connect is built upon OpenID Federation [OpenID.Federation]. This federation technique is relatively new, and full support for this standard by all participants within the federation cannot be assumed.

This document describes the Sweden Connect OpenID Federation structure and provides information for Relying Parties and OpenID Providers that do not fully support [OpenID.Federation].

Table of Contents

1. Introduction

1.1. Terminology

This document uses the terms "OpenID Provider (OP)" and "Relying Party (RP)" as defined by OpenID Connect Core 1.0 [OpenID.Core], and the terms "Entity", "Entity Configuration, "Subordinate Statement", "Intermediate Entity", "Subordinate Entity", "Superior Entity", "Trust Anchor", "Trust Mark", and "Trust Mark Issuer" defined in OpenID Federation 1.0 [OpenID.Federation].

2. Federation Structure

The Sweden Connect OpenID Federation structure can be visualized as shown below:

Figure 1: OpenID Federation structure for Sweden Connect.

Sweden Connect Trust Anchor

The Trust Anchor is the root of the federation, and defines policies and constraints that apply to the entire federation. Participants within the federation configure trust to the federation by trusting the Trust Anchor federation key, see Sweden Connect Federation Environments below.
Resolver

The Trust Anchor exposes a "resolver endpoint" according to Section 8.3 of [OpenID.Federation]. See Section 4, Resolving Metadata, below.
Trust Mark Issuers

There are two Trust Marks Issuers within the Sweden Connect federation; one issuer for issuing Trust Marks that assert OpenID Providers have been approved for issuing tokens under specific "Level of Assurance" URI:s, and one issuer that issues Trust Marks indicating that an RP or OP has signed a particular Sweden Connect contract. See Section 5, Trust Marks, below.
Sweden Connect RP Registration Intermediate

An Intermediate Entity that is responsible of registering OpenID Connect Relying Parties to the federation. This entity issues Subordinate Statements for all RP:s joining the federation, and also supports hosting of RP Entity Configurations for those RP:s that lacks sufficient OpenID Federation-support. See also Section 3.1, Registering a Relying Party, below.
Sweden Connect OP Registration Intermediate

An Intermediate Entity that is responsible of registering OpenID Connect Providers to the federation. See Section 3.2, Registering an OpenID Provider, below.

3. Registering to the Federation

3.1. Registering a Relying Party

3.2. Registering an OpenID Provider

4. Resolving Metadata

5. Trust Marks

Section 7 of [OpenID.Federation] describes Trust Marks XXX

5.1. Level of Assurance Trust Marks

Table 1: Trust Mark types for Level of Assurances.
Trust Mark Type Description
https://id.swedenconnect.se/loa/loa2 A holder of this Trust Mark has been approved by the Swedish Agency for Digital Government (Digg) for Level of Assurance 2 (LoA 2).
https://id.swedenconnect.se/loa/loa3 A holder of this Trust Mark has been approved by the Swedish Agency for Digital Government (Digg) for Level of Assurance 3 (LoA 3).
https://id.swedenconnect.se/loa/loa4 A holder of this Trust Mark has been approved by the Swedish Agency for Digital Government (Digg) for Level of Assurance 4 (LoA 4).

Note: ACR-values to used in OpenID Connect requests and responses are defined in Section 3.1.1 of [SC.Registry]. For historical reasons, these values do not correspond to the defined Trust Marks types.

5.2. Sweden Connect Contract Trust Marks

Table 2: Trust Mark types for contracts and agreements.
Trust Mark Type Description
https://id.swedenconnect.se/contract/sc/eid-authorization-system A Trust Mark type that is assigned to all Relying Parties that have signed the Auktorisationssystem för elektronisk identifiering contract and the OpenID Providers that deliver authentication services according to this contract.

6. Joining with Limited Support for OpenID Federation

7. Sweden Connect Federation Environments

This section provides information about the different Sweden Connect environments.

7.2. QA

TODO

7.3. Sandbox

Sweden Connect Federation Tool: https://fed-tool.sandbox.swedenconnect.se

7.3.1. Trust Anchor

Entity Identifier

https://fed.sandbox.swedenconnect.se/trustanchor
Resolve Endpoint

https://fed.sandbox.swedenconnect.se/trustanchor/resolve

Trust Anchor Federation Key:

As PEM-encoded key file:

-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAythak2N9X+iWmumBTIpVyfxnFk5T
LFMyBe6SrKj6ZXaY3KSZpN25nsneEtGZsJACmo8cC7iCHvkJY8dJge44yQUBCk97
K3liYsy1/BYYQ4YZIqGo9ZAEhb4Fshb0qMnjgqzXjjF0BFIfwRfdZ50eo+kl9H/o
F8Lhw1F3eNYbZsY9dp8=
-----END PUBLIC KEY-----

As JWK:

{
  "crv": "P-521",
  "kty": "EC",
  "x": "AMrYWpNjfV_olprpgUyKVcn8ZxZOUyxTMgXukqyo-mV2mNykmaTduZ7J3hLRmbCQApqPHAu4gh75CWPHSYHuOMkF",
  "y": "AQpPeyt5YmLMtfwWGEOGGSKhqPWQBIW-BbIW9KjJ44Ks144xdARSH8EX3WedHqPpJfR_6BfC4cNRd3jWG2bGPXaf",
  "kid": "a1AS1po4oSDsTlUQ579XSeEjslh3lrVlFDhVmNyiIiQ=",
  "alg": "ES512",
  "use": "sig"
}

As PEM-encoded X.509 certificate:

-----BEGIN CERTIFICATE-----
MIICEjCCAXOgAwIBAgIUdRPcpnV3mGKmcK7r0ZgBnA5WnWswCgYIKoZIzj0EAwIw
RTELMAkGA1UEBhMCU0UxFzAVBgNVBAoMDlN3ZWRlbiBDb25uZWN0MR0wGwYDVQQD
DBRTYW5kYm94IFRydXN0IEFuY2hvcjAeFw0yNjAxMzAwOTU4MDNaFw0zNjAxMzAw
OTU4MDNaMEUxCzAJBgNVBAYTAlNFMRcwFQYDVQQKDA5Td2VkZW4gQ29ubmVjdDEd
MBsGA1UEAwwUU2FuZGJveCBUcnVzdCBBbmNob3IwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABADK2FqTY31f6Jaa6YFMilXJ/GcWTlMsUzIF7pKsqPpldpjcpJmk3bme
yd4S0ZmwkAKajxwLuIIe+Qljx0mB7jjJBQEKT3sreWJizLX8FhhDhhkioaj1kASF
vgWyFvSoyeOCrNeOMXQEUh/BF91nnR6j6SX0f+gXwuHDUXd41htmxj12nzAKBggq
hkjOPQQDAgOBjAAwgYgCQgFX0+3h5IvfN6pb+1xEVrpept3a64mjg+apgMRRtvBg
i91yP4yJ1YhMEtrd6OdY9WSsTTYIu1vIrHLcJLGGtn4x4wJCAPaUg1+vBh3y7Z9M
n6xpVgkeur9oX0Orc9zTloZqMjLPC0m2qx+mYwQrCzd97T++AqbWVKLe1/mqF+JD
WdHa51qR
-----END CERTIFICATE-----

7.3.2. Trust Mark Issuers

7.3.2.1. Level of Assurance Trust Mark Issuer
Entity Identifier

https://fed.sandbox.swedenconnect.se/tmi-loa
Trust Mark Endpoint (for issuance)

https://fed.sandbox.swedenconnect.se/tmi-loa/trust_mark
Trust Mark Status Endpoint (for status check)

https://fed.sandbox.swedenconnect.se/tmi-loa/trust_mark_status
7.3.2.2. Sweden Connect Contracts Trust Mark Issuer
Entity Identifier

https://fed.sandbox.swedenconnect.se/tmi-contracts
Trust Mark Endpoint (for issuance)

https://fed.sandbox.swedenconnect.se/tmi-contracts/trust_mark
Trust Mark Status Endpoint (for status check)

https://fed.sandbox.swedenconnect.se/tmi-contracts/trust_mark_status

7.3.3. Registration Intermediate Entities

7.3.3.1. RP Registration Intermediate
Registration Portal URL

TBD
Entity Identifier

https://fed.sandbox.swedenconnect.se/im-reg-sc
Federation List Endpoint

https://fed.sandbox.swedenconnect.se/im-reg-sc/subordinate_listing
7.3.3.2. OP Registration Intermediate
Entity Identifier

https://fed.sandbox.swedenconnect.se/im-reg-sc-op
Federation List Endpoint

https://fed.sandbox.swedenconnect.se/im-reg-sc-op/subordinate_listing

8. Support

9. Normative References

[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", , <http://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Federation]
Hedberg, R., Jones, M. B., Solberg, A., Bradley, J., Marco, G. D., and V. Dzhuvinov, "OpenID Federation 1.0", , <https://openid.net/specs/openid-federation-1_0.html>.
[SC.Registry]
Lindström, M. and S. Santesson, "Sweden Connect - Registry for identifiers", , <https://docs.swedenconnect.se/technical-framework/latest/03_-_Registry_for_Identifiers.html>.

Appendix A. Notices

Copyright (c) The Swedish Agency for Digital Government (Digg), 2015-2026. All Rights Reserved.

Appendix B. Document History

[[ To be removed from the final specification ]]

-00

Author's Address

Martin Lindström
The Swedish Agency for Digital Government (Digg)