[openid-specs-rande] SAML to OIDC mapping specification

Mischa Salle msalle at nikhef.nl
Thu Mar 4 12:25:58 UTC 2021 

Hi Paul,

On Thu, Mar 04, 2021 at 10:38:57AM +0100, Paul Millar wrote:
> <delurk/>
> 
> On 03/03/2021 20:05, Marcus Hardt wrote:
> [...]
> > I know that at in the context of AARC a couple of Infrastructures followed
> > the mechanism mentioned in the REFEDS OIDCRE Whitepaper to translate from
> > eduPerson* to eduperson_*
> > 
> > - EGI
> > - EUDAT
> > - EduTeams
> > 
> > Also one national project I'm in volved in uses those.
> 
> Just to add some weight to Marcus' comments -- I'm a developer for dCache --
> large-scale scientific storage software deployed internationally.
> 
> We've adopted the REFEDS Whitepaper as the mapping from eduPerson attributes
> to OIDC claims.

that's good to hear!

> > I am not aware of different implementations. Are there any that did it
> > differently?
> 
> As it happens, I came across this:
> 
> https://www.cilogon.org/oidc
> 
> It looks like CILogin is returning some eduPerson attributes, but using a
> different mapping scheme (e.g., eduPersonPrincipalName stored as the "eppn"
> claim).

indeed, see also
https://cilogon.org/.well-known/openid-configuration

At the moment, the same is partially true for our RCauth CA,
https://pilot-ca1.rcauth.eu/oauth2/.well-known/openid-configuration
which used the earlier versions of the OIDCre paper for
eduPersonTargetedID, eduPersonPrincipalName and eduPersonUniqueId.
We later added eduperson_assurance and eduperson_scoped_affiliation so
could directly use the new "standard". I'm inclined to change fully to
the current whitepaper version, but am not 100% sure whether there are
people relying on the current names (most probably not).
 
> Perhaps there's an opportunity to reach out and involve the CILogin people?

I think Jim Basney is on this list, not 100% sure though.

Cheers,
Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..

More information about the openid-specs-rande mailing list