[openid-specs-rande] SAML to OIDC mapping specification

Mischa Salle msalle at nikhef.nl
Tue Mar 2 10:50:57 UTC 2021 

On Tue, Mar 02, 2021 at 10:08:10AM +0100, Niels van Dijk wrote:
> Hi Etienne,
> 
> By definition it is not possible to have the SAML friendly name match
> one-on-one as OIDC does not support casing in the claim names, so
> edupersonPrincipalName would need map to edupersonprincipalname.

actually it does although none of the current claims are case sensitive,
the specs do allow it:
https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts
    "Since Claim Names are case sensitive ..."
and in particular https://tools.ietf.org/html/rfc7519#section-10.1.1
    "This name is case sensitive.  Names may not match other registered
    names in a case-insensitive manner unless the Designated Experts
    state that there is a compelling reason to allow an exception."

but definitely see below...

> I fear we
> can discuss endlessly if that is more beautiful and/or more understandable
> as compared to eduperson_principal_name. While indeed there is a extra
> underscore in the names I very much doubt anybody will misinterpret the
> intent of e.g. eduperson_principal_name. We simply followed what seems to be
> the 'norm' in the IANA JWT registry:
> https://www.iana.org/assignments/jwt/jwt.xml
> 
> However, since the document[2] was written, many have adopted the proposal
> which means there are now multiple production instances (including e.g.
> eduTEAMs, PERUN, SURF/Openconext) who use this specification. I very much
> doubt they will be willing to change there production platform and all
> connected RPs because of a few underscores.

I fully agree!

Cheers
Mischa

> On 01-03-2021 16:58, Etienne Dysli Metref wrote:
> > Hello everyone,
> > 
> > To get the ball rolling toward an official specification on how to map
> > one's SAML attributes to OpenID Connect claims, I've started writing
> > something and submitted a PR on Github [1].
> > 
> > Since the earlier white paper [2] proposed different attribute names
> > between the two worlds without any argument to justify this change, I
> > went the opposite direction and reused the exact same names where the
> > mapping is direct. This should help people familiar with SAML attributes
> > in implementing them on their OpenID Provider.
> > 
> > Cheers,
> >    Etienne
> > 
> > [1] https://github.com/daserzw/oidc-edu-wg/pull/30
> > [2]
> > https://wiki.refeds.org/download/attachments/38895621/20181011-OIDC-WP.pdf?version=2&modificationDate=1539619007924&api=v2
> > 
> > 

> -- 
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20210302/62b2506d/attachment.bin>

More information about the openid-specs-rande mailing list