...
Based on the identifier properties, a mapping can be made on what would be compatible implementations, going between OIDC and SAML eduPERSON
SAML to OIDC
Mapping eduPerson SAML
...
=> OIDC public sub Claim
SAML identifiers compatibility for creating an OIDC public claim
...
Identifier Properties | Properties | |||||
Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
eduPerson SAML Identifiers | ||||||
eduPersonPrincipalName | OIDC sub may not be reassigned | |||||
eduPersonUniqueId | ||||||
eduPersonTargetedID | Public sub must not change per RP | |||||
SAML2 Persistent NameID | Public sub must not change per RP | |||||
SAML2 transient Name ID | NA | OIDC sub may not be reassigned | ||||
OIDC Sub claims | ||||||
Public |
Mapping eduPerson SAML
...
=> OIDC pairwise sub Claim
SAML identifiers compatibility for creating an OIDC pairwise claim
...
Note:For simplicity it is assumed there is only 1 Web sites under single administrative control
OIDC to SAML
Mapping OIDC public sub Claim
...
=> SAML
SAML identifiers that can be created from an OIDC public claim
...
Identifier Properties | Properties | |||||
Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
eduPerson SAML Identifiers | ||||||
eduPersonPrincipalName | ||||||
eduPersonUniqueId | ||||||
eduPersonTargetedID | public sub claim is not issues per SP | |||||
SAML2 Persistent NameID | public sub claim is not issues per SP | |||||
SAML2 transient Name ID | NA | transient properties may be implemented by proxy | ||||
OIDC Sub claims | ||||||
Public |
Mapping OIDC pairwise sub Claim
...
=> SAML
SAML identifiers that can be created from an OIDC pairwise claim
The table blow below marks compatible (GREEN) and Incompatible incompatible (RED) mappings. In some cases compatibility can arise from making a specific implementation (ORANGE).
Identifier Properties | Properties | |||||
Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
eduPerson SAML Identifiers | ||||||
eduPersonPrincipalName | Technically Opaque pairwise claim can be used, but this may be very unfriendly to enduser as ePPNs may be displayed to endusers | |||||
eduPersonUniqueId | Pairwise sub is unique per RP | |||||
eduPersonTargetedID | ||||||
SAML2 Persistent NameID | ||||||
SAML2 transient Name IDNameID | NA | Transient NameID is Unique per service by definition | ||||
OIDC Sub claims | ||||||
Pairwise |
An OIDC pairwise sub claim can be mapped to a SAML2 Persistent NameID.