Skip to main content

6. Detailed Technical Description

6. Detailed Technical Description

This section details the interactions between the UA, the Calling Service (CS), and the Identity Provider (IdP).

6.1 Identity Assertion Generation

  1. The UA generates a DTLS certificate and fingerprint.
  2. The UA requests an identity assertion from the IdP, providing its fingerprint.
  3. The IdP authenticates the user (e.g., via login).
  4. The IdP signs an assertion binding the user's identity to the fingerprint.
  5. The IdP returns the assertion to the UA.

6.2 Identity Assertion Verification

  1. The remote UA receives the assertion (via signaling).
  2. The remote UA verifies the assertion with the IdP (e.g., by fetching the IdP's public key or querying an API).
  3. The remote UA verifies that the fingerprint in the assertion matches the fingerprint of the DTLS connection.
  4. If successful, the UA displays the verified identity to the user.

6.3 IdP Proxying

To handle cases where the IdP is not directly reachable by the verifying UA (e.g., due to firewalls or disjoint networks), the protocol supports IdP proxying, where the verifying UA delegates the verification request to its own IdP or a trusted proxy.

Last updated on