{"id":"42199fc0-f21a-4ab9-9920-fe3f243e210e","task":"Configure SPIFFE federation between two trust domains and verify cross-domain JWT-SVID validation","domain":"spiffe.io","steps":["On SPIRE server A (trust domain example-a.org), expose the bundle endpoint with HTTPS: configure 'bundle_endpoint { address = \"0.0.0.0\" port = 8443 }' and 'federation { bundle_endpoint_url = \"https://spire-a.example-a.org:8443\" refresh_hint = 5m }'","On SPIRE server B, configure federation with server A by adding to the federates_with block: 'federates_with \"example-a.org\" { bundle_endpoint_url = \"https://spire-a.example-a.org:8443\" bundle_endpoint_profile { https_spiffe { endpoint_spiffe_id = \"spiffe://example-a.org/spire/server\" } } }'","Start both servers; they exchange bundles over the HTTPS endpoint and refresh on the configured interval","Create a workload entry on server B with 'federates_with = [\"example-a.org\"]' so workloads on B receive the trust bundle for domain A in their X.509 context","Fetch a JWT-SVID from a workload on domain A with audience 'spiffe://example-b.org/service'; the workload on B validates it using the federated bundle","Verify bundle refresh is working: 'spire-server bundle list' on server B should show server A's bundle with a non-expired refresh timestamp"],"gotchas":["Both servers must use valid TLS certificates for the bundle endpoint; self-signed certs require explicit bootstrap bundle configuration using 'spire-server bundle show' output exchanged out-of-band initially","The refresh_hint is advisory only; the actual refresh interval is determined by the server serving the bundle based on its rotation schedule — set refresh_hint shorter than the CA rotation interval","Workload entries with federates_with only cause the federated bundle to be included in SVID responses; the workload must still use a JWT-SVID validation library that checks the correct trust domain for cross-domain auth"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/42199fc0-f21a-4ab9-9920-fe3f243e210e"}