oidf-structure June 2026
Lindström Informational [Page]
Published:
Author:
M. Lindström
The Swedish Agency for Digital Government (Digg)

Sweden Connect - OpenID Federation Structure - draft 00

Abstract

The Sweden Connect identity federation for OpenID Connect is built upon OpenID Federation [OpenID.Federation]. This federation technique is relatively new, and full support for this standard by all participants within the federation cannot be assumed.

This document describes the Sweden Connect OpenID Federation structure and provides information for Relying Parties and OpenID Providers that do not fully support [OpenID.Federation].

Table of Contents

1. Introduction

1.1. Terminology

This document uses the terms "OpenID Provider (OP)" and "Relying Party (RP)" as defined by OpenID Connect Core 1.0 [OpenID.Core], and the terms "Entity", "Entity Configuration, "Subordinate Statement", "Intermediate Entity", "Subordinate Entity", "Superior Entity", "Trust Anchor", "Trust Mark", and "Trust Mark Issuer" defined in OpenID Federation 1.0 [OpenID.Federation].

2. Federation Structure

The Sweden Connect OpenID Federation structure can be visualized as shown below:

Figure 1: OpenID Federation structure for Sweden Connect.

Sweden Connect Trust Anchor

The Trust Anchor is the root of the federation, and defines policies and constraints that apply to the entire federation. Participants within the federation configure trust to the federation by trusting the Trust Anchor federation key, see Sweden Connect Federation Environments below.
Resolver

The Trust Anchor exposes a "resolver endpoint" according to Section 8.3 of [OpenID.Federation]. See Section 4, Resolving Metadata, below.
Trust Mark Issuers

There are two Trust Marks Issuers within the Sweden Connect federation; one issuer for issuing Trust Marks that assert OpenID Providers have been approved for issuing tokens under specific "Level of Assurance" URI:s, and one issuer that issues Trust Marks indicating that an RP or OP has signed a particular Sweden Connect contract. See Section 5, Trust Marks, below.
Sweden Connect RP Registration Intermediate

An Intermediate Entity that is responsible of registering OpenID Connect Relying Parties to the federation. This entity issues Subordinate Statements for all RP:s joining the federation, and also supports hosting of RP Entity Configurations for those RP:s that lacks sufficient OpenID Federation-support. See also Section 3.1, Registering a Relying Party, below.
Sweden Connect OP Registration Intermediate

An Intermediate Entity that is responsible of registering OpenID Connect Providers to the federation. See Section 3.2, Registering an OpenID Provider, below.

3. Registering to the Federation

3.1. Registering a Relying Party

3.2. Registering an OpenID Provider

4. Resolving Metadata

5. Trust Marks

Section 7 of [OpenID.Federation] describes Trust Marks XXX

5.1. Level of Assurance Trust Marks

Table 1: Trust Mark types for Level of Assurances.
Trust Mark Type Description
https://id.swedenconnect.se/loa/loa2 A holder of this Trust Mark has been approved by the Swedish Agency for Digital Government (Digg) for Level of Assurance 2 (LoA 2).
https://id.swedenconnect.se/loa/loa3 A holder of this Trust Mark has been approved by the Swedish Agency for Digital Government (Digg) for Level of Assurance 3 (LoA 3).
https://id.swedenconnect.se/loa/loa4 A holder of this Trust Mark has been approved by the Swedish Agency for Digital Government (Digg) for Level of Assurance 4 (LoA 4).

Note: ACR-values to used in OpenID Connect requests and responses are defined in Section 3.1.1 of [SC.Registry]. For historical reasons, these values do not correspond to the defined Trust Marks types.

5.2. Sweden Connect Contract Trust Marks

Table 2: Trust Mark types for contracts and agreements.
Trust Mark Type Description
https://id.swedenconnect.se/contract/sc/eid-authorization-system A Trust Mark type that is assigned to all Relying Parties that have signed the Auktorisationssystem för elektronisk identifiering contract and the OpenID Providers that deliver authentication services according to this contract.

6. Joining with Limited Support for OpenID Federation

7. Sweden Connect Federation Environments

This section provides information about the different Sweden Connect environments.

7.2. QA

7.2.1. Trust Anchor

Entity Identifier

https://qa.fed.swedenconnect.se/trustanchor
Resolve Endpoint

https://qa.fed.swedenconnect.se/trustanchor/resolve

Trust Anchor Federation Key:

As PEM-encoded key file:

-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA0aliFcJ5cpnNjTz87tX6jLdoKTFr
bjLiiwGNBCJrDJWUpPcZtQ36yIXBUqu9p3oe7Og1LZD1kIjIht+myoIlLScA90D5
1nGPdiEsLJlXGgXNsEbhLCOFOul29PcCLp0Vw/t2EpvSVfBXIsa1GigOSKt68iF7
7Ep5V/gWjmlyvYs+2uQ=
-----END PUBLIC KEY-----

As JWK:

{
  "crv": "P-521",
  "kty": "EC",
  "x": "ANGpYhXCeXKZzY08_O7V-oy3aCkxa24y4osBjQQiawyVlKT3GbUN-siFwVKrvad6HuzoNS2Q9ZCIyIbfpsqCJS0n",
  "y": "APdA-dZxj3YhLCyZVxoFzbBG4SwjhTrpdvT3Ai6dFcP7dhKb0lXwVyLGtRooDkirevIhe-xKeVf4Fo5pcr2LPtrk",
  "kid": "TfbPleG2EedBwk48xweaD4PMJUtJfkTUlpJBX1EWmJM=",
  "alg": "ES512",
  "use": "sig"
}

As PEM-encoded X.509 certificate:

-----BEGIN CERTIFICATE-----
MIICCDCCAWmgAwIBAgIUc82lOuDXQzjP469OkjwBntUig6wwCgYIKoZIzj0EAwIw
QDELMAkGA1UEBhMCU0UxFzAVBgNVBAoMDlN3ZWRlbiBDb25uZWN0MRgwFgYDVQQD
DA9RQSBUcnVzdCBBbmNob3IwHhcNMjYwNjE3MTAzMTA5WhcNNDYwNjE3MTAzMTA5
WjBAMQswCQYDVQQGEwJTRTEXMBUGA1UECgwOU3dlZGVuIENvbm5lY3QxGDAWBgNV
BAMMD1FBIFRydXN0IEFuY2hvcjCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEANGp
YhXCeXKZzY08/O7V+oy3aCkxa24y4osBjQQiawyVlKT3GbUN+siFwVKrvad6Huzo
NS2Q9ZCIyIbfpsqCJS0nAPdA+dZxj3YhLCyZVxoFzbBG4SwjhTrpdvT3Ai6dFcP7
dhKb0lXwVyLGtRooDkirevIhe+xKeVf4Fo5pcr2LPtrkMAoGCCqGSM49BAMCA4GM
ADCBiAJCAXzzLJpLhiwd13cITm3UEmbDS74zI9p55q0reME8VY/nit4f2U4EbwyT
8Md1OVWorflf7ajh6mCnlSSbn6+j840eAkIBqXnuoH3vrZuUycO/clrYb0UNPByY
ogmRYB1V92oqa8iVh1lo9Kum917vyqqtCalNP7X4dHOdhsOQlfU7wGXEiQw=
-----END CERTIFICATE-----

7.2.2. Trust Mark Issuers

7.2.2.1. Level of Assurance Trust Mark Issuer
Entity Identifier

https://qa.fed.swedenconnect.se/tmi-loa
Trust Mark Endpoint (for issuance)

https://qa.fed.swedenconnect.se/tmi-loa/trust_mark
Trust Mark Status Endpoint (for status check)

https://qa.fed.swedenconnect.se/tmi-loa/trust_mark_status
7.2.2.2. Sweden Connect Contracts Trust Mark Issuer
Entity Identifier

https://qa.fed.swedenconnect.se/tmi-contracts
Trust Mark Endpoint (for issuance)

https://qa.fed.swedenconnect.se/tmi-contracts/trust_mark
Trust Mark Status Endpoint (for status check)

https://qa.fed.swedenconnect.se/tmi-contracts/trust_mark_status

7.2.3. Registration Intermediate Entities

7.2.3.1. RP Registration Intermediate
Registration Portal URL

TBD
Entity Identifier

https://qa.fed.swedenconnect.se/im-reg-sc
Federation List Endpoint

https://qa.fed.swedenconnect.se/im-reg-sc/subordinate_listing
7.2.3.2. OP Registration Intermediate
Entity Identifier

https://qa.fed.swedenconnect.se/im-reg-sc-op
Federation List Endpoint

https://qa.fed.swedenconnect.se/im-reg-sc-op/subordinate_listing

7.3. Sandbox

Sweden Connect Federation Tool: https://fed-tool.sandbox.swedenconnect.se

7.3.1. Trust Anchor

Entity Identifier

https://fed.sandbox.swedenconnect.se/trustanchor
Resolve Endpoint

https://fed.sandbox.swedenconnect.se/trustanchor/resolve

Trust Anchor Federation Key:

As PEM-encoded key file:

-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAythak2N9X+iWmumBTIpVyfxnFk5T
LFMyBe6SrKj6ZXaY3KSZpN25nsneEtGZsJACmo8cC7iCHvkJY8dJge44yQUBCk97
K3liYsy1/BYYQ4YZIqGo9ZAEhb4Fshb0qMnjgqzXjjF0BFIfwRfdZ50eo+kl9H/o
F8Lhw1F3eNYbZsY9dp8=
-----END PUBLIC KEY-----

As JWK:

{
  "crv": "P-521",
  "kty": "EC",
  "x": "AMrYWpNjfV_olprpgUyKVcn8ZxZOUyxTMgXukqyo-mV2mNykmaTduZ7J3hLRmbCQApqPHAu4gh75CWPHSYHuOMkF",
  "y": "AQpPeyt5YmLMtfwWGEOGGSKhqPWQBIW-BbIW9KjJ44Ks144xdARSH8EX3WedHqPpJfR_6BfC4cNRd3jWG2bGPXaf",
  "kid": "a1AS1po4oSDsTlUQ579XSeEjslh3lrVlFDhVmNyiIiQ=",
  "alg": "ES512",
  "use": "sig"
}

As PEM-encoded X.509 certificate:

-----BEGIN CERTIFICATE-----
MIICEjCCAXOgAwIBAgIUdRPcpnV3mGKmcK7r0ZgBnA5WnWswCgYIKoZIzj0EAwIw
RTELMAkGA1UEBhMCU0UxFzAVBgNVBAoMDlN3ZWRlbiBDb25uZWN0MR0wGwYDVQQD
DBRTYW5kYm94IFRydXN0IEFuY2hvcjAeFw0yNjAxMzAwOTU4MDNaFw0zNjAxMzAw
OTU4MDNaMEUxCzAJBgNVBAYTAlNFMRcwFQYDVQQKDA5Td2VkZW4gQ29ubmVjdDEd
MBsGA1UEAwwUU2FuZGJveCBUcnVzdCBBbmNob3IwgZswEAYHKoZIzj0CAQYFK4EE
ACMDgYYABADK2FqTY31f6Jaa6YFMilXJ/GcWTlMsUzIF7pKsqPpldpjcpJmk3bme
yd4S0ZmwkAKajxwLuIIe+Qljx0mB7jjJBQEKT3sreWJizLX8FhhDhhkioaj1kASF
vgWyFvSoyeOCrNeOMXQEUh/BF91nnR6j6SX0f+gXwuHDUXd41htmxj12nzAKBggq
hkjOPQQDAgOBjAAwgYgCQgFX0+3h5IvfN6pb+1xEVrpept3a64mjg+apgMRRtvBg
i91yP4yJ1YhMEtrd6OdY9WSsTTYIu1vIrHLcJLGGtn4x4wJCAPaUg1+vBh3y7Z9M
n6xpVgkeur9oX0Orc9zTloZqMjLPC0m2qx+mYwQrCzd97T++AqbWVKLe1/mqF+JD
WdHa51qR
-----END CERTIFICATE-----

7.3.2. Trust Mark Issuers

7.3.2.1. Level of Assurance Trust Mark Issuer
Entity Identifier

https://fed.sandbox.swedenconnect.se/tmi-loa
Trust Mark Endpoint (for issuance)

https://fed.sandbox.swedenconnect.se/tmi-loa/trust_mark
Trust Mark Status Endpoint (for status check)

https://fed.sandbox.swedenconnect.se/tmi-loa/trust_mark_status
7.3.2.2. Sweden Connect Contracts Trust Mark Issuer
Entity Identifier

https://fed.sandbox.swedenconnect.se/tmi-contracts
Trust Mark Endpoint (for issuance)

https://fed.sandbox.swedenconnect.se/tmi-contracts/trust_mark
Trust Mark Status Endpoint (for status check)

https://fed.sandbox.swedenconnect.se/tmi-contracts/trust_mark_status

7.3.3. Registration Intermediate Entities

7.3.3.1. RP Registration Intermediate
Registration Portal URL

TBD
Entity Identifier

https://fed.sandbox.swedenconnect.se/im-reg-sc
Federation List Endpoint

https://fed.sandbox.swedenconnect.se/im-reg-sc/subordinate_listing
7.3.3.2. OP Registration Intermediate
Entity Identifier

https://fed.sandbox.swedenconnect.se/im-reg-sc-op
Federation List Endpoint

https://fed.sandbox.swedenconnect.se/im-reg-sc-op/subordinate_listing

8. Normative References

[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", , <http://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Federation]
Hedberg, R., Jones, M. B., Solberg, A., Bradley, J., Marco, G. D., and V. Dzhuvinov, "OpenID Federation 1.0", , <https://openid.net/specs/openid-federation-1_0.html>.
[SC.Registry]
Lindström, M. and S. Santesson, "Sweden Connect - Registry for identifiers", , <https://docs.swedenconnect.se/technical-framework/latest/03_-_Registry_for_Identifiers.html>.

Appendix A. Notices

Copyright (c) The Swedish Agency for Digital Government (Digg), 2015-2026. All Rights Reserved.

Appendix B. Document History

[[ To be removed from the final specification ]]

-00

Author's Address

Martin Lindström
The Swedish Agency for Digital Government (Digg)