...
Based on the identifier properties, a mapping can be made on what would be compatible implementations, going between OIDC and SAML eduPERSON
SAML to OIDC
Mapping eduPerson SAML => OIDC public sub
...
claim
SAML identifiers compatibility for creating an OIDC public claim
...
| Identifier Properties | Properties | |||||
| Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
| eduPerson SAML Identifiers | ||||||
| eduPersonPrincipalName |  | |  | | OIDC sub may not be reassigned | |
| eduPersonUniqueId | | | | | ||
| eduPersonTargetedID | | | | | Public sub must not change per RP | |
| SAML2 Persistent NameID | | | | | Public sub must not change per RP | |
| SAML2 transient Name ID | NA | | | | OIDC sub may not be reassigned | |
| OIDC Sub claims | ||||||
| Public | |  | | |
Mapping eduPerson SAML => OIDC pairwise sub
...
claim
SAML identifiers compatibility for creating an OIDC pairwise claim
...
Note:For simplicity it is assumed there is only 1 Web sites under single administrative control
OIDC to SAML
Mapping OIDC public sub
...
claim => SAML
SAML identifiers that can be created from an OIDC public claim
...
| Identifier Properties | Properties | |||||
| Non-reassigned | Opaque | Persistent | Unique per Service | Remarks | ||
| eduPerson SAML Identifiers | ||||||
| eduPersonPrincipalName | | | | | ||
| eduPersonUniqueId | | | | | ||
| eduPersonTargetedID | | | | | public sub claim is not issues per SP | |
| SAML2 Persistent NameID | | | | | public sub claim is not issues per SP | |
| SAML2 transient Name ID | NA | | | | transient properties may be implemented by proxy | |
| OIDC Sub claims | ||||||
| Public | | | | |
Mapping OIDC pairwise sub
...
claim => SAML
SAML identifiers that can be created from an OIDC pairwise claim
...