Versions Compared

Old Version 11

changes.mady.by.user Tom Scavo

Saved on

compared with

New Version 12

changes.mady.by.user Tom Scavo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Based on the identifier properties, a mapping can be made on what would be compatible implementations, going between OIDC and SAML eduPERSON

SAML to OIDC

Mapping eduPerson SAML

...

=> OIDC public sub Claim

SAML identifiers compatibility for creating an OIDC public claim

...

Identifier Properties  Properties    
  Non-reassigned

 Opaque

Persistent Unique per Service Remarks
eduPerson SAML Identifiers      
eduPersonPrincipalName (error)(error)(tick)(error)OIDC sub may not be reassigned
eduPersonUniqueId (tick)(tick)(tick)(error) 
eduPersonTargetedID (tick)(tick)(tick)(tick)Public sub must not change per RP
SAML2 Persistent NameID (tick)(tick)(tick)(tick)Public sub must not change per RP
SAML2 transient Name ID NA(tick)(error)(error)OIDC sub may not be reassigned
       
OIDC Sub claims      
Public (tick)(question)(tick)(error) 

Mapping eduPerson SAML

...

=> OIDC pairwise sub Claim

SAML identifiers compatibility for creating an OIDC pairwise claim

...

Note:For simplicity it is assumed there is only 1 Web sites under single administrative control

OIDC to SAML

Mapping OIDC public sub Claim

...

=> SAML

SAML identifiers that can be created from an OIDC public claim

...

Identifier Properties  Properties    
  Non-reassigned

 Opaque

Persistent Unique per Service Remarks
eduPerson SAML Identifiers      
eduPersonPrincipalName (error)(error)(tick)(error) 
eduPersonUniqueId (tick)(tick)(tick)(error) 
eduPersonTargetedID (tick)(tick)(tick)(tick)public sub claim is not issues per SP
SAML2 Persistent NameID (tick)(tick)(tick)(tick)public sub claim is not issues per SP
SAML2 transient Name ID NA(tick)(error)(error)transient properties may be implemented by proxy
       
OIDC Sub claims      
Public (tick)(question)(tick)(error) 

Mapping OIDC pairwise sub Claim

...

=> SAML

SAML identifiers that can be created from an OIDC pairwise claim

The table blow below marks compatible (GREEN) and Incompatible incompatible (RED) mappings. In some cases compatibility can arise from making a specific implementation (ORANGE).

Identifier Properties  Properties    
  Non-reassigned

 Opaque

Persistent Unique per Service Remarks
eduPerson SAML Identifiers      
eduPersonPrincipalName (error)(error)(tick)(error)

Technically Opaque pairwise claim can be used,

but this may be very unfriendly to enduser as ePPNs may be displayed to endusers

eduPersonUniqueId (tick)(tick)(tick)(error)Pairwise sub is unique per RP
eduPersonTargetedID (tick)(tick)(tick)(tick) 
SAML2 Persistent NameID (tick)(tick)(tick)(tick) 
SAML2 transient Name IDNameID NA(tick)(error)(error)Transient NameID is Unique per service by definition
       
OIDC Sub claims      
Pairwise (tick)(tick)(tick)(tick) 

 

 An OIDC pairwise sub claim can be mapped to a SAML2 Persistent NameID.