diff --git a/api/gen/proto/go/teleport/machineid/v1/federation.pb.go b/api/gen/proto/go/teleport/machineid/v1/federation.pb.go
index 2eaddca85fc61..ae54d9eda14ed 100644
--- a/api/gen/proto/go/teleport/machineid/v1/federation.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/federation.pb.go
@@ -222,68 +222,6 @@ func (x *SPIFFEFederationBundleSourceHTTPSWeb) GetBundleEndpointUrl() string {
 	return ""
 }
 
-// SPIFFEFederationBundleSourceHTTPSSPIFFE is a bundle source that fetches the bundle
-// from a HTTPS endpoint that is protected by a SPIFFE certificate that is
-// "self-served" (i.e. the SPIFFE certificate is issued by the same trust domain
-// that the bundle is for).
-type SPIFFEFederationBundleSourceHTTPSSPIFFE struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// The URL of the SPIFFE Bundle Endpoint.
-	BundleEndpointUrl string `protobuf:"bytes,1,opt,name=bundle_endpoint_url,json=bundleEndpointUrl,proto3" json:"bundle_endpoint_url,omitempty"`
-	// The initial SPIFFE bundle that is used to bootstrap the connection to the
-	// bundle endpoint. After the first sync, this field will no longer be used.
-	BundleBootstrap string `protobuf:"bytes,2,opt,name=bundle_bootstrap,json=bundleBootstrap,proto3" json:"bundle_bootstrap,omitempty"`
-}
-
-func (x *SPIFFEFederationBundleSourceHTTPSSPIFFE) Reset() {
-	*x = SPIFFEFederationBundleSourceHTTPSSPIFFE{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *SPIFFEFederationBundleSourceHTTPSSPIFFE) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*SPIFFEFederationBundleSourceHTTPSSPIFFE) ProtoMessage() {}
-
-func (x *SPIFFEFederationBundleSourceHTTPSSPIFFE) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use SPIFFEFederationBundleSourceHTTPSSPIFFE.ProtoReflect.Descriptor instead.
-func (*SPIFFEFederationBundleSourceHTTPSSPIFFE) Descriptor() ([]byte, []int) {
-	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{3}
-}
-
-func (x *SPIFFEFederationBundleSourceHTTPSSPIFFE) GetBundleEndpointUrl() string {
-	if x != nil {
-		return x.BundleEndpointUrl
-	}
-	return ""
-}
-
-func (x *SPIFFEFederationBundleSourceHTTPSSPIFFE) GetBundleBootstrap() string {
-	if x != nil {
-		return x.BundleBootstrap
-	}
-	return ""
-}
-
 // SPIFFEFederationBundleSource configures how the federation bundle is sourced.
 // Only one field can be set.
 type SPIFFEFederationBundleSource struct {
@@ -291,15 +229,14 @@ type SPIFFEFederationBundleSource struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Static      *SPIFFEFederationBundleSourceStatic      `protobuf:"bytes,1,opt,name=static,proto3" json:"static,omitempty"`
-	HttpsWeb    *SPIFFEFederationBundleSourceHTTPSWeb    `protobuf:"bytes,2,opt,name=https_web,json=httpsWeb,proto3" json:"https_web,omitempty"`
-	HttpsSpiffe *SPIFFEFederationBundleSourceHTTPSSPIFFE `protobuf:"bytes,3,opt,name=https_spiffe,json=httpsSpiffe,proto3" json:"https_spiffe,omitempty"`
+	Static   *SPIFFEFederationBundleSourceStatic   `protobuf:"bytes,1,opt,name=static,proto3" json:"static,omitempty"`
+	HttpsWeb *SPIFFEFederationBundleSourceHTTPSWeb `protobuf:"bytes,2,opt,name=https_web,json=httpsWeb,proto3" json:"https_web,omitempty"`
 }
 
 func (x *SPIFFEFederationBundleSource) Reset() {
 	*x = SPIFFEFederationBundleSource{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[4]
+		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -312,7 +249,7 @@ func (x *SPIFFEFederationBundleSource) String() string {
 func (*SPIFFEFederationBundleSource) ProtoMessage() {}
 
 func (x *SPIFFEFederationBundleSource) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[4]
+	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -325,7 +262,7 @@ func (x *SPIFFEFederationBundleSource) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SPIFFEFederationBundleSource.ProtoReflect.Descriptor instead.
 func (*SPIFFEFederationBundleSource) Descriptor() ([]byte, []int) {
-	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{4}
+	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{3}
 }
 
 func (x *SPIFFEFederationBundleSource) GetStatic() *SPIFFEFederationBundleSourceStatic {
@@ -342,13 +279,6 @@ func (x *SPIFFEFederationBundleSource) GetHttpsWeb() *SPIFFEFederationBundleSour
 	return nil
 }
 
-func (x *SPIFFEFederationBundleSource) GetHttpsSpiffe() *SPIFFEFederationBundleSourceHTTPSSPIFFE {
-	if x != nil {
-		return x.HttpsSpiffe
-	}
-	return nil
-}
-
 // SPIFFEFederationSpec is the configuration of a trust domain federation.
 type SPIFFEFederationSpec struct {
 	state         protoimpl.MessageState
@@ -362,7 +292,7 @@ type SPIFFEFederationSpec struct {
 func (x *SPIFFEFederationSpec) Reset() {
 	*x = SPIFFEFederationSpec{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[5]
+		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -375,7 +305,7 @@ func (x *SPIFFEFederationSpec) String() string {
 func (*SPIFFEFederationSpec) ProtoMessage() {}
 
 func (x *SPIFFEFederationSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[5]
+	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -388,7 +318,7 @@ func (x *SPIFFEFederationSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SPIFFEFederationSpec.ProtoReflect.Descriptor instead.
 func (*SPIFFEFederationSpec) Descriptor() ([]byte, []int) {
-	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{5}
+	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{4}
 }
 
 func (x *SPIFFEFederationSpec) GetBundleSource() *SPIFFEFederationBundleSource {
@@ -416,7 +346,7 @@ type SPIFFEFederationStatus struct {
 func (x *SPIFFEFederationStatus) Reset() {
 	*x = SPIFFEFederationStatus{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[6]
+		mi := &file_teleport_machineid_v1_federation_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -429,7 +359,7 @@ func (x *SPIFFEFederationStatus) String() string {
 func (*SPIFFEFederationStatus) ProtoMessage() {}
 
 func (x *SPIFFEFederationStatus) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[6]
+	mi := &file_teleport_machineid_v1_federation_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -442,7 +372,7 @@ func (x *SPIFFEFederationStatus) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SPIFFEFederationStatus.ProtoReflect.Descriptor instead.
 func (*SPIFFEFederationStatus) Descriptor() ([]byte, []int) {
-	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{6}
+	return file_teleport_machineid_v1_federation_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *SPIFFEFederationStatus) GetCurrentBundle() string {
@@ -506,63 +436,48 @@ var file_teleport_machineid_v1_federation_proto_rawDesc = []byte{
 	0x65, 0x48, 0x54, 0x54, 0x50, 0x53, 0x57, 0x65, 0x62, 0x12, 0x2e, 0x0a, 0x13, 0x62, 0x75, 0x6e,
 	0x64, 0x6c, 0x65, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x75, 0x72, 0x6c,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x45, 0x6e,
-	0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x22, 0x84, 0x01, 0x0a, 0x27, 0x53, 0x50,
+	0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x22, 0xcb, 0x01, 0x0a, 0x1c, 0x53, 0x50,
 	0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75,
-	0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x54, 0x54, 0x50, 0x53, 0x53,
-	0x50, 0x49, 0x46, 0x46, 0x45, 0x12, 0x2e, 0x0a, 0x13, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f,
-	0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x11, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69,
-	0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x29, 0x0a, 0x10, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f,
-	0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x42, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70,
-	0x22, 0xae, 0x02, 0x0a, 0x1c, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63,
-	0x65, 0x12, 0x51, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x39, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45,
-	0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65,
-	0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63, 0x52, 0x06, 0x73, 0x74,
-	0x61, 0x74, 0x69, 0x63, 0x12, 0x58, 0x0a, 0x09, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x77, 0x65,
-	0x62, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
-	0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e,
-	0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x54, 0x54, 0x50,
-	0x53, 0x57, 0x65, 0x62, 0x52, 0x08, 0x68, 0x74, 0x74, 0x70, 0x73, 0x57, 0x65, 0x62, 0x12, 0x61,
-	0x0a, 0x0c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
-	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x50, 0x49,
-	0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x6e,
-	0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x54, 0x54, 0x50, 0x53, 0x53, 0x50,
-	0x49, 0x46, 0x46, 0x45, 0x52, 0x0b, 0x68, 0x74, 0x74, 0x70, 0x73, 0x53, 0x70, 0x69, 0x66, 0x66,
-	0x65, 0x22, 0x70, 0x0a, 0x14, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x58, 0x0a, 0x0d, 0x62, 0x75, 0x6e,
-	0x64, 0x6c, 0x65, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68,
+	0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x51, 0x0a, 0x06, 0x73, 0x74,
+	0x61, 0x74, 0x69, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e,
+	0x76, 0x31, 0x2e, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x53,
+	0x74, 0x61, 0x74, 0x69, 0x63, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x12, 0x58, 0x0a,
+	0x09, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x77, 0x65, 0x62, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x3b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68,
 	0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x46,
 	0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x0c, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75,
-	0x72, 0x63, 0x65, 0x22, 0xee, 0x01, 0x0a, 0x16, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x46, 0x65,
-	0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x25,
-	0x0a, 0x0e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x42,
-	0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x53, 0x0a, 0x18, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74,
-	0x5f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f, 0x73, 0x79, 0x6e, 0x63, 0x65, 0x64, 0x5f, 0x61,
-	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
-	0x61, 0x6d, 0x70, 0x52, 0x15, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x6e, 0x64,
-	0x6c, 0x65, 0x53, 0x79, 0x6e, 0x63, 0x65, 0x64, 0x41, 0x74, 0x12, 0x58, 0x0a, 0x1b, 0x63, 0x75,
-	0x72, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f, 0x72, 0x65, 0x66,
-	0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x18, 0x63, 0x75, 0x72, 0x72,
-	0x65, 0x6e, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68,
-	0x48, 0x69, 0x6e, 0x74, 0x42, 0x56, 0x5a, 0x54, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
-	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65,
-	0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70,
-	0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31,
-	0x3b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x54, 0x54, 0x50, 0x53, 0x57, 0x65, 0x62, 0x52, 0x08, 0x68,
+	0x74, 0x74, 0x70, 0x73, 0x57, 0x65, 0x62, 0x22, 0x70, 0x0a, 0x14, 0x53, 0x50, 0x49, 0x46, 0x46,
+	0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12,
+	0x58, 0x0a, 0x0d, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
+	0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x53,
+	0x50, 0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42,
+	0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x0c, 0x62, 0x75, 0x6e,
+	0x64, 0x6c, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x22, 0xee, 0x01, 0x0a, 0x16, 0x53, 0x50,
+	0x49, 0x46, 0x46, 0x45, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x5f,
+	0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x63, 0x75,
+	0x72, 0x72, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x53, 0x0a, 0x18, 0x63,
+	0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x5f, 0x73, 0x79,
+	0x6e, 0x63, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x15, 0x63, 0x75, 0x72, 0x72, 0x65,
+	0x6e, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x53, 0x79, 0x6e, 0x63, 0x65, 0x64, 0x41, 0x74,
+	0x12, 0x58, 0x0a, 0x1b, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x62, 0x75, 0x6e, 0x64,
+	0x6c, 0x65, 0x5f, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x52, 0x18, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52,
+	0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x42, 0x56, 0x5a, 0x54, 0x67, 0x69,
+	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f,
+	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64,
+	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -577,34 +492,32 @@ func file_teleport_machineid_v1_federation_proto_rawDescGZIP() []byte {
 	return file_teleport_machineid_v1_federation_proto_rawDescData
 }
 
-var file_teleport_machineid_v1_federation_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_teleport_machineid_v1_federation_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_teleport_machineid_v1_federation_proto_goTypes = []any{
-	(*SPIFFEFederation)(nil),                        // 0: teleport.machineid.v1.SPIFFEFederation
-	(*SPIFFEFederationBundleSourceStatic)(nil),      // 1: teleport.machineid.v1.SPIFFEFederationBundleSourceStatic
-	(*SPIFFEFederationBundleSourceHTTPSWeb)(nil),    // 2: teleport.machineid.v1.SPIFFEFederationBundleSourceHTTPSWeb
-	(*SPIFFEFederationBundleSourceHTTPSSPIFFE)(nil), // 3: teleport.machineid.v1.SPIFFEFederationBundleSourceHTTPSSPIFFE
-	(*SPIFFEFederationBundleSource)(nil),            // 4: teleport.machineid.v1.SPIFFEFederationBundleSource
-	(*SPIFFEFederationSpec)(nil),                    // 5: teleport.machineid.v1.SPIFFEFederationSpec
-	(*SPIFFEFederationStatus)(nil),                  // 6: teleport.machineid.v1.SPIFFEFederationStatus
-	(*v1.Metadata)(nil),                             // 7: teleport.header.v1.Metadata
-	(*timestamppb.Timestamp)(nil),                   // 8: google.protobuf.Timestamp
-	(*durationpb.Duration)(nil),                     // 9: google.protobuf.Duration
+	(*SPIFFEFederation)(nil),                     // 0: teleport.machineid.v1.SPIFFEFederation
+	(*SPIFFEFederationBundleSourceStatic)(nil),   // 1: teleport.machineid.v1.SPIFFEFederationBundleSourceStatic
+	(*SPIFFEFederationBundleSourceHTTPSWeb)(nil), // 2: teleport.machineid.v1.SPIFFEFederationBundleSourceHTTPSWeb
+	(*SPIFFEFederationBundleSource)(nil),         // 3: teleport.machineid.v1.SPIFFEFederationBundleSource
+	(*SPIFFEFederationSpec)(nil),                 // 4: teleport.machineid.v1.SPIFFEFederationSpec
+	(*SPIFFEFederationStatus)(nil),               // 5: teleport.machineid.v1.SPIFFEFederationStatus
+	(*v1.Metadata)(nil),                          // 6: teleport.header.v1.Metadata
+	(*timestamppb.Timestamp)(nil),                // 7: google.protobuf.Timestamp
+	(*durationpb.Duration)(nil),                  // 8: google.protobuf.Duration
 }
 var file_teleport_machineid_v1_federation_proto_depIdxs = []int32{
-	7, // 0: teleport.machineid.v1.SPIFFEFederation.metadata:type_name -> teleport.header.v1.Metadata
-	5, // 1: teleport.machineid.v1.SPIFFEFederation.spec:type_name -> teleport.machineid.v1.SPIFFEFederationSpec
-	6, // 2: teleport.machineid.v1.SPIFFEFederation.status:type_name -> teleport.machineid.v1.SPIFFEFederationStatus
+	6, // 0: teleport.machineid.v1.SPIFFEFederation.metadata:type_name -> teleport.header.v1.Metadata
+	4, // 1: teleport.machineid.v1.SPIFFEFederation.spec:type_name -> teleport.machineid.v1.SPIFFEFederationSpec
+	5, // 2: teleport.machineid.v1.SPIFFEFederation.status:type_name -> teleport.machineid.v1.SPIFFEFederationStatus
 	1, // 3: teleport.machineid.v1.SPIFFEFederationBundleSource.static:type_name -> teleport.machineid.v1.SPIFFEFederationBundleSourceStatic
 	2, // 4: teleport.machineid.v1.SPIFFEFederationBundleSource.https_web:type_name -> teleport.machineid.v1.SPIFFEFederationBundleSourceHTTPSWeb
-	3, // 5: teleport.machineid.v1.SPIFFEFederationBundleSource.https_spiffe:type_name -> teleport.machineid.v1.SPIFFEFederationBundleSourceHTTPSSPIFFE
-	4, // 6: teleport.machineid.v1.SPIFFEFederationSpec.bundle_source:type_name -> teleport.machineid.v1.SPIFFEFederationBundleSource
-	8, // 7: teleport.machineid.v1.SPIFFEFederationStatus.current_bundle_synced_at:type_name -> google.protobuf.Timestamp
-	9, // 8: teleport.machineid.v1.SPIFFEFederationStatus.current_bundle_refresh_hint:type_name -> google.protobuf.Duration
-	9, // [9:9] is the sub-list for method output_type
-	9, // [9:9] is the sub-list for method input_type
-	9, // [9:9] is the sub-list for extension type_name
-	9, // [9:9] is the sub-list for extension extendee
-	0, // [0:9] is the sub-list for field type_name
+	3, // 5: teleport.machineid.v1.SPIFFEFederationSpec.bundle_source:type_name -> teleport.machineid.v1.SPIFFEFederationBundleSource
+	7, // 6: teleport.machineid.v1.SPIFFEFederationStatus.current_bundle_synced_at:type_name -> google.protobuf.Timestamp
+	8, // 7: teleport.machineid.v1.SPIFFEFederationStatus.current_bundle_refresh_hint:type_name -> google.protobuf.Duration
+	8, // [8:8] is the sub-list for method output_type
+	8, // [8:8] is the sub-list for method input_type
+	8, // [8:8] is the sub-list for extension type_name
+	8, // [8:8] is the sub-list for extension extendee
+	0, // [0:8] is the sub-list for field type_name
 }
 
 func init() { file_teleport_machineid_v1_federation_proto_init() }
@@ -650,18 +563,6 @@ func file_teleport_machineid_v1_federation_proto_init() {
 			}
 		}
 		file_teleport_machineid_v1_federation_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*SPIFFEFederationBundleSourceHTTPSSPIFFE); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_teleport_machineid_v1_federation_proto_msgTypes[4].Exporter = func(v any, i int) any {
 			switch v := v.(*SPIFFEFederationBundleSource); i {
 			case 0:
 				return &v.state
@@ -673,7 +574,7 @@ func file_teleport_machineid_v1_federation_proto_init() {
 				return nil
 			}
 		}
-		file_teleport_machineid_v1_federation_proto_msgTypes[5].Exporter = func(v any, i int) any {
+		file_teleport_machineid_v1_federation_proto_msgTypes[4].Exporter = func(v any, i int) any {
 			switch v := v.(*SPIFFEFederationSpec); i {
 			case 0:
 				return &v.state
@@ -685,7 +586,7 @@ func file_teleport_machineid_v1_federation_proto_init() {
 				return nil
 			}
 		}
-		file_teleport_machineid_v1_federation_proto_msgTypes[6].Exporter = func(v any, i int) any {
+		file_teleport_machineid_v1_federation_proto_msgTypes[5].Exporter = func(v any, i int) any {
 			switch v := v.(*SPIFFEFederationStatus); i {
 			case 0:
 				return &v.state
@@ -704,7 +605,7 @@ func file_teleport_machineid_v1_federation_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_teleport_machineid_v1_federation_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   7,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/api/proto/teleport/machineid/v1/federation.proto b/api/proto/teleport/machineid/v1/federation.proto
index c8115c58b9811..343b8e0f8efa6 100644
--- a/api/proto/teleport/machineid/v1/federation.proto
+++ b/api/proto/teleport/machineid/v1/federation.proto
@@ -42,24 +42,11 @@ message SPIFFEFederationBundleSourceHTTPSWeb {
   string bundle_endpoint_url = 1;
 }
 
-// SPIFFEFederationBundleSourceHTTPSSPIFFE is a bundle source that fetches the bundle
-// from a HTTPS endpoint that is protected by a SPIFFE certificate that is
-// "self-served" (i.e. the SPIFFE certificate is issued by the same trust domain
-// that the bundle is for).
-message SPIFFEFederationBundleSourceHTTPSSPIFFE {
-  // The URL of the SPIFFE Bundle Endpoint.
-  string bundle_endpoint_url = 1;
-  // The initial SPIFFE bundle that is used to bootstrap the connection to the
-  // bundle endpoint. After the first sync, this field will no longer be used.
-  string bundle_bootstrap = 2;
-}
-
 // SPIFFEFederationBundleSource configures how the federation bundle is sourced.
 // Only one field can be set.
 message SPIFFEFederationBundleSource {
   SPIFFEFederationBundleSourceStatic static = 1;
   SPIFFEFederationBundleSourceHTTPSWeb https_web = 2;
-  SPIFFEFederationBundleSourceHTTPSSPIFFE https_spiffe = 3;
 }
 
 // SPIFFEFederationSpec is the configuration of a trust domain federation.
diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go
index 368bf60215f85..620bd3642a545 100644
--- a/lib/auth/grpcserver.go
+++ b/lib/auth/grpcserver.go
@@ -5192,6 +5192,17 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) {
 	}
 	machineidv1pb.RegisterWorkloadIdentityServiceServer(server, workloadIdentityService)
 
+	spiffeFederationService, err := machineidv1.NewSPIFFEFederationService(machineidv1.SPIFFEFederationServiceConfig{
+		Authorizer: cfg.Authorizer,
+		Backend:    nil, // TODO
+		Clock:      cfg.AuthServer.GetClock(),
+		Emitter:    cfg.Emitter,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err, "creating SPIFFE federation service")
+	}
+	machineidv1pb.RegisterSPIFFEFederationServiceServer(server, spiffeFederationService)
+
 	dbObjectImportRuleService, err := dbobjectimportrulev1.NewDatabaseObjectImportRuleService(dbobjectimportrulev1.DatabaseObjectImportRuleServiceConfig{
 		Authorizer: cfg.Authorizer,
 		Backend:    cfg.AuthServer.Services,
diff --git a/lib/auth/machineid/machineidv1/spiffe_federation_service.go b/lib/auth/machineid/machineidv1/spiffe_federation_service.go
index 2a8e0918fdccd..a58f3b7350dc2 100644
--- a/lib/auth/machineid/machineidv1/spiffe_federation_service.go
+++ b/lib/auth/machineid/machineidv1/spiffe_federation_service.go
@@ -24,28 +24,54 @@ import (
 	"github.com/jonboulle/clockwork"
 	"google.golang.org/protobuf/types/known/emptypb"
 
+	"github.com/gravitational/teleport"
 	machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
 	"github.com/gravitational/teleport/api/types"
+	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/services"
 )
 
+// SPIFFEFederationServiceConfig holds configuration options for
+// NewSPIFFEFederationService
 type SPIFFEFederationServiceConfig struct {
 	Authorizer authz.Authorizer
 	Backend    services.SPIFFEFederation
 	Logger     *slog.Logger
 	Clock      clockwork.Clock
+	Emitter    apievents.Emitter
 }
 
-func NewSPIFFEFederationService(config SPIFFEFederationServiceConfig) *SPIFFEFederationService {
-	return &SPIFFEFederationService{
-		authorizer: config.Authorizer,
-		backend:    config.Backend,
-		logger:     config.Logger,
-		clock:      config.Clock,
+// NewSPIFFEFederationService returns a new instance of the SPIFFEFederationService.
+func NewSPIFFEFederationService(
+	cfg SPIFFEFederationServiceConfig,
+) (*SPIFFEFederationService, error) {
+	switch {
+	case cfg.Backend == nil:
+		return nil, trace.BadParameter("backend service is required")
+	case cfg.Authorizer == nil:
+		return nil, trace.BadParameter("authorizer is required")
+	case cfg.Emitter == nil:
+		return nil, trace.BadParameter("emitter is required")
+	}
+
+	if cfg.Logger == nil {
+		cfg.Logger = slog.With(teleport.ComponentKey, "bot_instance.service")
+	}
+	if cfg.Clock == nil {
+		cfg.Clock = clockwork.NewRealClock()
 	}
+
+	return &SPIFFEFederationService{
+		authorizer: cfg.Authorizer,
+		backend:    cfg.Backend,
+		logger:     cfg.Logger,
+		clock:      cfg.Clock,
+	}, nil
 }
 
+// SPIFFEFederationService is an implementation of
+// teleport.machineid.v1.SPIFFEFederationService
 type SPIFFEFederationService struct {
 	machineidv1.UnimplementedSPIFFEFederationServiceServer
 
@@ -53,10 +79,13 @@ type SPIFFEFederationService struct {
 	backend    services.SPIFFEFederation
 	logger     *slog.Logger
 	clock      clockwork.Clock
+	emitter    apievents.Emitter
 }
 
+// GetSPIFFEFederation returns a SPIFFE Federation by name.
+// Implements teleport.machineid.v1.SPIFFEFederationService/GetSPIFFEFederation
 func (s *SPIFFEFederationService) GetSPIFFEFederation(
-	ctx context.Context, request *machineidv1.GetSPIFFEFederationRequest,
+	ctx context.Context, req *machineidv1.GetSPIFFEFederationRequest,
 ) (*machineidv1.SPIFFEFederation, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -65,12 +94,25 @@ func (s *SPIFFEFederationService) GetSPIFFEFederation(
 	if err := authCtx.CheckAccessToKind(types.KindSPIFFEFederation, types.VerbRead); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	//TODO implement me
-	panic("implement me")
+
+	if req.Name == "" {
+		return nil, trace.BadParameter("name: must be non-empty")
+	}
+
+	// TODO(noah): Use cache...
+	federation, err := s.backend.GetSPIFFEFederation(ctx, req.Name)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return federation, nil
 }
 
+// ListSPIFFEFederations returns a list of SPIFFE Federations. It follows the
+// Google API design guidelines for list pagination.
+// Implements teleport.machineid.v1.SPIFFEFederationService/ListSPIFFEFederations
 func (s *SPIFFEFederationService) ListSPIFFEFederations(
-	ctx context.Context, request *machineidv1.ListSPIFFEFederationsRequest,
+	ctx context.Context, req *machineidv1.ListSPIFFEFederationsRequest,
 ) (*machineidv1.ListSPIFFEFederationsResponse, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -79,12 +121,27 @@ func (s *SPIFFEFederationService) ListSPIFFEFederations(
 	if err := authCtx.CheckAccessToKind(types.KindSPIFFEFederation, types.VerbRead, types.VerbList); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	//TODO implement me
-	panic("implement me")
+
+	// TODO: Use cache...
+	federations, nextToken, err := s.backend.ListSPIFFEFederations(
+		ctx,
+		int(req.PageSize),
+		req.PageToken,
+	)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return &machineidv1.ListSPIFFEFederationsResponse{
+		SpiffeFederations: federations,
+		NextPageToken:     nextToken,
+	}, nil
 }
 
+// DeleteSPIFFEFederation deletes a SPIFFE Federation by name.
+// Implements teleport.machineid.v1.SPIFFEFederationService/DeleteSPIFFEFederation
 func (s *SPIFFEFederationService) DeleteSPIFFEFederation(
-	ctx context.Context, request *machineidv1.DeleteSPIFFEFederationRequest,
+	ctx context.Context, req *machineidv1.DeleteSPIFFEFederationRequest,
 ) (*emptypb.Empty, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -93,12 +150,22 @@ func (s *SPIFFEFederationService) DeleteSPIFFEFederation(
 	if err := authCtx.CheckAccessToKind(types.KindSPIFFEFederation, types.VerbDelete); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	//TODO implement me
-	panic("implement me")
+
+	if req.Name == "" {
+		return nil, trace.BadParameter("name: must be non-empty")
+	}
+
+	if err := s.backend.DeleteSPIFFEFederation(ctx, req.Name); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	// TODO: audit log
+	return &emptypb.Empty{}, nil
 }
 
+// CreateSPIFFEFederation creates a new SPIFFE Federation.
+// Implements teleport.machineid.v1.SPIFFEFederationService/CreateSPIFFEFederation
 func (s *SPIFFEFederationService) CreateSPIFFEFederation(
-	ctx context.Context, request *machineidv1.CreateSPIFFEFederationRequest,
+	ctx context.Context, req *machineidv1.CreateSPIFFEFederationRequest,
 ) (*machineidv1.SPIFFEFederation, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -107,6 +174,11 @@ func (s *SPIFFEFederationService) CreateSPIFFEFederation(
 	if err := authCtx.CheckAccessToKind(types.KindSPIFFEFederation, types.VerbCreate); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	//TODO implement me
-	panic("implement me")
+
+	created, err := s.backend.CreateSPIFFEFederation(ctx, req.SpiffeFederation)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	// TODO: audit log
+	return created, nil
 }
diff --git a/lib/services/spiffe_federation.go b/lib/services/spiffe_federation.go
index 92d571b7d0ed8..cb61d5de94789 100644
--- a/lib/services/spiffe_federation.go
+++ b/lib/services/spiffe_federation.go
@@ -25,7 +25,7 @@ import (
 // SPIFFEFederation is an interface for the SPIFFEFederation service.
 type SPIFFEFederation interface {
 	// CreateBotInstance
-	CreateSPIFFEFederation(ctx context.Context, botInstance *machineidv1.SPIFFEFederation) (*machineidv1.SPIFFEFederation, error)
+	CreateSPIFFEFederation(ctx context.Context, spiffeFederation *machineidv1.SPIFFEFederation) (*machineidv1.SPIFFEFederation, error)
 
 	// GetBotInstance
 	GetSPIFFEFederation(ctx context.Context, name string) (*machineidv1.SPIFFEFederation, error)