The trust router's trusts.cfg file is in JSON format, and for processing and automation reasons, the format generated by the Moonshot portal lists each delimiter (square and curly brackets) on a separate lines.
This page is designed to make the file easier to read and understand.
The top level
The top level of the trusts.cfg file defines three collections of entities, which are the communities in this trust infrastructure, the Identity Provider (IdP) realms and the Relying Party (RP) clients. The latter collection generally defines the organisations that are part of the infrastructure, because organisations will generally use one set of credentials for all their relying parties.
communities collection contains the communities in this trust infrastructure. There is always a minimum of one community in a trust infrastructure, the Authentication Policy Community (APC). It is the over-arching community that includes all Relying Parties and Identity Providers. It is worth noting here that all realms in the
idp_realms collection are also part of the
rp_realms collection, as all identity providers are relying parties, but not all relying parties will be identity providers.
- The community ID,
community_id, must be in FQDN format, i.e. apc.moonshot.ja.net, or csc.communities.moonshot.ja.net
- The APC community has an empty
apcsfield, and its
typefield is "apc"
- Communities of interest (COI) will set the
apcsfield to "apc" and their
typefield to "coi"
Identity Provider realms
The identity provider realms collection,
idp_realms, contains a collection of entries that define the identity realms available in this trust infrastructure. This realm collection will include the APC as well since the APC is not just a collection, but also the identity provider for all the relying parties in the trust infrastructure. Each identity provider realm uses the below format:
aaa_serversentry must contain one or more
rp_realmentries that belong to the organisation that owns (or manages) the realm in
Currently only one
aaa_serversentry is supported.
realm_idmust be listed in the
idp_realmslist of at least one community, the APC. You may add it to other communities as well.
Relying Party clients
The relying party clients collection,
rp_clients, contains a collection of entries that define the relying party clients available in this trust infrastructure. Relying party clients are bundled together by credential, to that the credentials in the
gss_names collection apply to all clients in the
filter_lines collection of the rp_client entry. Each identity provider realm uses the below format:
gss_namesentries are the accepted APC credentials for this rp_client.
filter_linesentries will be rp_realm entries that