[openid-specs-rande] SAML to OIDC mapping specification
Marcus Hardt
hardt at kit.edu
Tue Mar 2 11:28:23 UTC 2021
On 02. Mar 2021 10:08, Niels van Dijk wrote:
> Hi Etienne,
>
> By definition it is not possible to have the SAML friendly name match
> one-on-one as OIDC does not support casing in the claim names, so
> edupersonPrincipalName would need map to edupersonprincipalname. I fear we
> can discuss endlessly if that is more beautiful and/or more understandable
> as compared to eduperson_principal_name. While indeed there is a extra
> underscore in the names I very much doubt anybody will misinterpret the
> intent of e.g. eduperson_principal_name. We simply followed what seems to be
> the 'norm' in the IANA JWT registry:
> https://www.iana.org/assignments/jwt/jwt.xml
>
> However, since the document[2] was written, many have adopted the proposal
> which means there are now multiple production instances (including e.g.
> eduTEAMs, PERUN, SURF/Openconext) who use this specification. I very much
> doubt they will be willing to change there production platform and all
> connected RPs because of a few underscores.
Same here: We've built our Helmholtz Infrastructure fully on the names
suggested by the whitepaper in [2].
Unless there is a very good reason to drop the '_', I don't think this
will happen.
Marcus.
> Best,
>
> Niels
>
> On 01-03-2021 16:58, Etienne Dysli Metref wrote:
> > Hello everyone,
> >
> > To get the ball rolling toward an official specification on how to map
> > one's SAML attributes to OpenID Connect claims, I've started writing
> > something and submitted a PR on Github [1].
> >
> > Since the earlier white paper [2] proposed different attribute names
> > between the two worlds without any argument to justify this change, I
> > went the opposite direction and reused the exact same names where the
> > mapping is direct. This should help people familiar with SAML attributes
> > in implementing them on their OpenID Provider.
> >
> > Cheers,
> > Etienne
> >
> > [1] https://github.com/daserzw/oidc-edu-wg/pull/30
> > [2]
> > https://wiki.refeds.org/download/attachments/38895621/20181011-OIDC-WP.pdf?version=2&modificationDate=1539619007924&api=v2
> >
> >
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
--
Marcus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4805 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20210302/69e2212c/attachment-0001.p7s>
More information about the openid-specs-rande
mailing list