As part of the Federated identity feature, a configuration option was added to the Arvados API server to indicate which remote API servers are trusted to authenticate user IDs ('remote_hosts').
This allows for basic federated identity between a group of Arvados clusters. Each time the membership of the API server group changes (an API server is added or removed), every API server in the group needs to have its configuration updated. This is not ideal.
An Arvados API server can only be part of one federated identity group (aka 'federation').
A cluster registry service, which is managed centrally by the federation admin. All API servers in the federation sync the federation membership list from the registry service automatically.