...
Based on the identifier properties, a mapping can be made on what would be compatible implementations, going between OIDC and SAML eduPERSON
SAML to OIDC
Mapping eduPerson SAML => OIDC public sub
...
claim
SAML identifiers compatibility for creating an OIDC public claim
...
Identifier Properties | Properties | |||||
Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
eduPerson SAML Identifiers | ||||||
eduPersonPrincipalName | OIDC sub may not be reassigned | |||||
eduPersonUniqueId | ||||||
eduPersonTargetedID | Public sub must not change per RP | |||||
SAML2 Persistent NameID | Public sub must not change per RP | |||||
SAML2 transient Name ID | NA | OIDC sub may not be reassigned | ||||
OIDC Sub claims | ||||||
Public |
Mapping eduPerson SAML => OIDC pairwise sub
...
claim
SAML identifiers compatibility for creating an OIDC pairwise claim
...
Note:For simplicity it is assumed there is only 1 Web sites under single administrative control
OIDC to SAML
Mapping OIDC public sub
...
claim => SAML
SAML identifiers that can be created from an OIDC public claim
...
Identifier Properties | Properties | |||||
Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
eduPerson SAML Identifiers | ||||||
eduPersonPrincipalName | ||||||
eduPersonUniqueId | ||||||
eduPersonTargetedID | public sub claim is not issues per SP | |||||
SAML2 Persistent NameID | public sub claim is not issues per SP | |||||
SAML2 transient Name ID | NA | transient properties may be implemented by proxy | ||||
OIDC Sub claims | ||||||
Public |
Mapping OIDC pairwise sub
...
claim => SAML
SAML identifiers that can be created from an OIDC pairwise claim
...