[openid-specs-rande] Feedback on SAML-to-OIDC mapping
Paul Millar
paul.millar at desy.de
Wed Feb 24 11:14:18 UTC 2021
Hi,
I'm writing here because Niels van Dijk suggested this might be the
correct forum to record this information.
I was looking at the white paper on how to map SAML attributes to OIDC
claims:
https://daasi.de/pub/20181011-OIDC-WP.pdf
One thing I noticed was that, under the "Advanced profile" section, the
above document describes how an attribute's _name_ is mapped to a
corresponding OIDC claim name, but doesn't seem to describe how an
attribute's _value_ is mapped.
My particular interest was in understanding how eduPersonEntitlement was
being mapped to "eduperson_entitlement" claim. In particular, if the
IdP assertion contains only one eduPersonEntitlement attribute would a
JSON String (rather than a JSON Array of JSON String) be valid?
As a concrete example, would this be a valid response from the user-info
endpoint:
{
"sub": "00112233445566778899aabbccddeeff",
"eduperson_entitlement": "urn:example.org:foo",
...
}
or must it always be represented as a JSON Array:
{
"sub": "00112233445566778899aabbccddeeff",
"eduperson_entitlement": [
"urn:example.org:foo"
],
...
}
As motivation, there are other OIDC claims that have a
string-or-array-of-strings value; e.g., in RFC7519 "aud" claim value is
defined as an array of StringOrURI values, but the value MAY be a single
JSON-String if the audience is single-valued.
I understand that the working group that came up with the white paper is
no longer operating; however, I wanted to give some feedback about a
potential ambiguity so that other REFEDS groups might consider this in
any future version of this (or similar) document.
Cheers,
Paul.
More information about the openid-specs-rande
mailing list