[openid-specs-rande] SAML to OIDC mapping specification

[Niels van Dijk]

Hi Etienne,

By definition it is not possible to have the SAML friendly name match 
one-on-one as OIDC does not support casing in the claim names, so 
edupersonPrincipalName would need map to edupersonprincipalname. I fear 
we can discuss endlessly if that is more beautiful and/or more 
understandable as compared to eduperson_principal_name. While indeed 
there is a extra underscore in the names I very much doubt anybody will 
misinterpret the intent of e.g. eduperson_principal_name. We simply 
followed what seems to be the 'norm' in the IANA JWT registry: 
https://www.iana.org/assignments/jwt/jwt.xml

However, since the document[2] was written, many have adopted the 
proposal which means there are now multiple production instances 
(including e.g. eduTEAMs, PERUN, SURF/Openconext) who use this 
specification. I very much doubt they will be willing to change there 
production platform and all connected RPs because of a few underscores.

Best,

Niels

On 01-03-2021 16:58, Etienne Dysli Metref wrote:
> Hello everyone,
>
> To get the ball rolling toward an official specification on how to map
> one's SAML attributes to OpenID Connect claims, I've started writing
> something and submitted a PR on Github [1].
>
> Since the earlier white paper [2] proposed different attribute names
> between the two worlds without any argument to justify this change, I
> went the opposite direction and reused the exact same names where the
> mapping is direct. This should help people familiar with SAML attributes
> in implementing them on their OpenID Provider.
>
> Cheers,
>    Etienne
>
> [1] https://github.com/daserzw/oidc-edu-wg/pull/30
> [2]
> https://wiki.refeds.org/download/attachments/38895621/20181011-OIDC-WP.pdf?version=2&modificationDate=1539619007924&api=v2
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20210302/4436d453/attachment.html>