openid-federation-organization-identifie February 2026
Jones, et al. Standards Track [Page]
Workgroup:
OpenID Connect A/B
Published:
Authors:
M.B. Jones
Self-Issued Consulting
M. Lindström
IDsec Solutions
S. Santesson
IDsec Solutions

OpenID Federation Organization Identifier Metadata Parameter 1.0 - draft 01

Abstract

An Entity within a federation is, in almost all cases, owned by an organization. In many cases, an actor within the federation needs to know which organization that is behind a given Entity. Reasons for this may be invoicing, bilateral agreements or accountability. Therefore, an Entity needs to have a mechanism to uniquely represent the organization to which it belongs.

This specification defines the organization_identifier metadata parameter that allows Entities to declare an unique organization identifier.

Table of Contents

1. Introduction

OpenID Federation [OpenID.Federation] provides a framework for establishing trust between Entities through cryptographically verifiable metadata and Trust Chains. While this framework enables secure discovery and validation of technical and operational properties of Entities, it does not provide a standard mechanism for identifying the organization that owns or operates a given Entity.

In practice, most Entities within a federation are operated by organizations rather than individuals. Federation participants and operators may therefore need to determine which organization stands behind a particular Entity. This information can be required for purposes such as invoicing, establishing bilateral or contractual agreements, policy enforcement, or accountability and incident handling.

This specification introduces the organization_identifier metadata parameter, which allows an Entity to declare a unique identifier for the organization to which it belongs. The identifier is intended to be stable, unambiguous within the federation, and suitable for use in administrative and policy-driven processes. The precise format and semantics of the identifier are federation specific and are expected to be defined by federations that choose to support this parameter.

1.1. Requirements Notation and Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.2. Terminology

This specification uses the terms "OpenID Provider (OP)" and "Relying Party (RP)" as defined by OpenID Connect Core 1.0 [OpenID.Core], the terms "Authorization Server (AS)", "Client", and "Protected Resource" defined by OAuth 2.0 [RFC6749], and the terms "Entity", "Subordinate Statement", "Intermediate Entity", "Subordinate Entity", and "Superior Entity" defined in OpenID Federation 1.0 [OpenID.Federation].

2. The organization_identifier Metadata Parameter

This specification extends [OpenID.Federation] with the following metadata parameter:

organization_identifier

OPTIONAL. A string that uniquely identifies the organization owning this Entity. The format of this identifier is context specific and SHOULD be defined by federations supporting the parameter. 
"metadata" : {
  "openid_relying_party" : {
    "organization_name#en" : "Example Company",
    "organization_name#sv" : "Exampelföretaget",
    "organization_identifier" : "urn:glue:lei:529900T8BM49AURSDO55",
    ...
  }
},

Example: An excerpt of an OpenID Relying Party's metadata, where the Entity is owned by "Example Company". In this example, the company is uniquely identified using a Legal Entity Identifier [LEI], represented as a GLUE URI [I-D.ietf-spice-glue-id].

3. Security Considerations

3.1. Trusting the Organization Identifier

Allowing an Entity to declare the organization_identifier value in its own metadata introduces potential risks if this value is not subject to appropriate controls. In particular, an Entity could falsely claim association with an organization to which it does not belong. If other federation participants rely on this value without additional validation, this could lead to incorrect trust decisions, misdirected contractual relationships, or incorrect attribution of responsibility.

To mitigate this risk, federations MAY apply policies that ensure that the organization_identifier value is constrained and validated by the Superior Entity before it is relied upon. One effective mitigation is for the Superior Entity to define a fixed organization_identifier value in its metadata policy for a Subordinate Entity. This prevents the Subordinate Entity from arbitrarily setting or changing this value.

By enforcing the value for organization_identifier through metadata policy, the Superior Entity effectively vouches for the association between the Entity and the identified organization.

"metadata_policy" : {
  "openid_relying_party": {
    "organization_identifier": {
      "value": "urn:glue:iso6523:0195:5590026352"
    }
  }
}

Example: An example of a metadata policy in a Subordinate Statement, where the organization_identifier is set to a fixed, validated value. In this case, the identifier is expressed in the [ISO.6523] format using a GLUE URI [I-D.ietf-spice-glue-id].

4. IANA Considerations

4.1. OAuth Dynamic Client Registration Metadata Registration

This specification registers the following client metadata entry in the IANA "OAuth Dynamic Client Registration Metadata" registry [IANA.OAuth.Parameters] established by [RFC7591].

  • Client Metadata Name: organization_identifier
  • Client Metadata Description: A string that uniquely identifies the organization that owns a Client/RP
  • Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
  • Specification Document(s): Section 2 of this specification

4.2. OAuth Authorization Server Metadata Registration

This specification registers the following metadata entries in the IANA "OAuth Authorization Server Metadata" registry [IANA.OAuth.Parameters] established by [RFC8414].

  • Metadata Name: organization_identifier
  • Metadata Description: A string that uniquely identifies the organization that owns an AS/OP
  • Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
  • Specification Document(s): Section 2 of this specification

4.3. OAuth Protected Resource Metadata Registration

This specification registers the following protected resource metadata entries in the IANA "OAuth Protected Resource Metadata" registry [IANA.OAuth.Parameters] established by [RFC9728].

  • Metadata Name: organization_identifier
  • Metadata Description: A string that uniquely identifies the organization that owns a Protected Resource
  • Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
  • Specification Document(s): Section 2 of this specification

5. Acknowledgments

We would like to thank the following individuals for their comments, ideas, and contributions to this implementation profile and to the initial set of implementations.

6. Normative References

[IANA.OAuth.Parameters]
IANA, "IANA, "OAuth Parameters"", <https://www.iana.org/assignments/oauth-parameters>.
[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", , <http://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Federation]
Hedberg, R., Jones, M. B., Solberg, A., Bradley, J., Marco, G. D., and V. Dzhuvinov, "OpenID Federation 1.0", , <https://openid.net/specs/openid-federation-1_0.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/info/rfc6749>.
[RFC7591]
Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", RFC 7591, DOI 10.17487/RFC7591, , <https://www.rfc-editor.org/info/rfc7591>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8414]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, , <https://www.rfc-editor.org/info/rfc8414>.
[RFC9728]
Jones, M.B., Hunt, P., and A. Parecki, "OAuth 2.0 Protected Resource Metadata", RFC 9728, DOI 10.17487/RFC9728, , <https://www.rfc-editor.org/info/rfc9728>.

7. Informative References

[I-D.ietf-spice-glue-id]
Zundel, B., Dingle, P., and M. B. Jones, "GLobal Unique Enterprise (GLUE) Identifiers", Work in Progress, Internet-Draft, draft-ietf-spice-glue-id-05, , <https://datatracker.ietf.org/doc/html/draft-ietf-spice-glue-id-05>.
[ISO.6523]
"ISO/IEC 6523-1:2023. Part 1: Identification of organization identification schemes", , <https://www.iso.org/standard/82246.html>.
[LEI]
"Legal Entity Identifier (LEI)", , <https://www.iso.org/standard/78829.html>.

Appendix A. Notices

Copyright (c) 2026 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that MAY cover technology that MAY be required to practice this specification.

Appendix B. Document History

[[ To be removed from the final specification ]]

-01

-00

Authors' Addresses

Michael B. Jones
Self-Issued Consulting
Martin Lindström
IDsec Solutions
Stefan Santesson
IDsec Solutions