Scope vs Claims
- Scope and Claim are defined in openid-connect-core
- Claims are similar to attributes/assertions in SAML protocol
- A scope usually consists of multiple claims
Scope and Claims that Stanford OP Supports
Quick lookup
| Scope | Claim | Single/Multi | LDAP Source |
|---|---|---|---|
| openid | sub(public/pairwise) | Single | suRegID@stanford.edu |
| profile | name | Single | displayName |
| profile | given_name | Single | suDisplayNameFirst |
| profile | family_name | Single | suDisplayNameLast |
| profile | preferred_username | Single | uid |
| Single | eduPersonPrincipalName | ||
| email_verified | Boolean | false | |
| eduperson_scoped_affiliation | eduPersonScopedAffiliation | Multi | eduPersonScopedAffiliation |
| eduperson_entitlement | eduPersonEntitlement | Multi | suPrivilegeGroup |
| eduperson_assurance | eduPersonAssurance | Multi | See eduPersonAssurance |
Claims and its source attributes
"name"
- SAML Attriutes: urn:oid:2.16.840.1.113730.3.1.241 (displayName)
- OIDC scope: profile
- Single-valued
- Example: Mandy Dougherty
"given_name"
- In the specification of urn:oid:2.5.4.42 (givenName) it is stated that the attribute supports multiple values, but the OIDC claim support only a single value.
- OIDC scope: profile
- Single
- Propose to use suDisplayNameFirst
- Example: Mandy
"family_name"
- In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value.
- OIDC scope: profile
- Single-valued
- Propose to use suDisplayNameLast
- Example: Dougherty
"preferred_username"
- SAML Attriutes: urn:oid:0.9.2342.19200300.100.1.1 (uid)
- OIDC scope: profile
- Single-valued
- Example: mdougher
"email"
- SAML Attribute: eduPersonPrincipalName
- OIDC scope: email
- Issues: Mandatory in OIDC claim as a single value. Not all users have email defined. (urn:oid:0.9.2342.19200300.100.1.3 (email))
- Single-valued
- Propose to use eduPersonPrincipalName
- Example: mdougher@stanford.edu
"eduPersonScopedAffiliation"
- SAML Attriutes: urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)
- OIDC scope: eduperson_scoped_affiliation
- Multi-valued
- Examples: member@stanford.edu staff@stanford.edu
"eduPersonEntitlement"
- SAML urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
- OIDC scope: eduperson_entitlement
- Multi-valued
- Examples: stanford:stanford stem:workgroup-1
"eduPersonAssurance"
- SAML Attribute: urn:oid:1.3.6.1.4.1.5923.1.1.1.11 (eduPersonAssurance)
- OIDC scope: eduperson_assurance
- Multi-valued
- Examples:
