[openid-specs-rande] SAML to OIDC mapping and value types

Christos Kanellopoulos christos.kanellopoulos at geant.org
Fri Dec 13 16:41:23 UTC 2019 

Hello folks,

This week at TechEx, Ivan and I spent some time on an issue we had been seeing on SATOSA, namely that all claims returned from the SATOSA OP had single values even if the SATOSA internal representation of the attribute has multiple values.

Upon further investigation and discussion with Mike Jones we realised that there is not just one way to represent multi-value claims in OIDC. As a matter of fact each claim should have its own specification of that what claim value should be.

In the OIDC core specification:

  *   all claims (except amr in the ID token) are single valued.

  *   Three claims (given_name, family_name, middle_name) have the following description:

Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.

  *   Two claims (mail_verified, phone_number_verified) are booleans

  *   updated_at is a number

  *   address is JSON object

  *   amr is JSON array of strings

  *   everything else is string

The point of this e-mail, is that in the R&E id_token and userinfo endpoint claims<https://docs.google.com/document/d/1FQcZEUsjRjVxR5X5uii_Ma9adFIe9ER3b4WE-wYo7hU/edit#> along with the mappings we need to describe what the type of each claim value is.

So for example, eduPersonScopedAffiliation is a multi-value attribute in the eduPerson schema. Should we represent it as a JSON array or as space separated string (I hope you all say the former) when mapped to OIDC.

Christos

PS

Where is the discussion/document happening about other mappings beyond R&S?

--
Christos Kanellopoulos
Senior Trust & Identity Manager
GÉANT
M: +31 611 477 919

Networks • Services • People
Learn more at www.geant.org​<http://www.geant.org%E2%80%8B>

GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20191213/3bcf312a/attachment.html>

More information about the openid-specs-rande mailing list