Scope and Claims

Scope vs Claims

• Scope and Claim are defined in openid-connect-core
• Claims are similar to attributes/assertions in SAML protocol
• A scope usually consists of multiple claims

Scope and Claims that Stanford OP Supports

Quick lookup

Scope	Claim	Single/Multi	LDAP Source
openid	sub(public/pairwise)	Single	suRegID@stanford.edu
profile	name	Single	displayName
profile	given_name	Single	suDisplayNameFirst
profile	family_name	Single	suDisplayNameLast
profile	preferred_username	Single	uid
email	email	Single	eduPersonPrincipalName
email	email_verified	Boolean	false
eduperson_scoped_affiliation	eduPersonScopedAffiliation	Multi	eduPersonScopedAffiliation
eduperson_entitlement	eduPersonEntitlement	Multi	suPrivilegeGroup
eduperson_entitlement	groups	Multi, json array	suPrivilegeGroup
eduperson_assurance	eduPersonAssurance	Multi	See eduPersonAssurance

Claims and its source attributes

"name"

• SAML Attriutes: urn:oid:2.16.840.1.113730.3.1.241 (displayName)
• OIDC scope: profile
• Single-valued
• Example: Mandy Dougherty

"given_name"

• In the specification of urn:oid:2.5.4.42 (givenName) it is stated that the attribute supports multiple values, but the OIDC claim support only a single value.
• OIDC scope: profile
• Single
• Propose to use suDisplayNameFirst
• Example: Mandy

"family_name"

• In the specification of urn:oid:2.5.4.4 it is stated that the attribute supports multiple values, but the OIDC claim support only a single value.
• OIDC scope: profile
• Single-valued
• Propose to use suDisplayNameLast
• Example: Dougherty

"preferred_username"

• SAML Attriutes: urn:oid:0.9.2342.19200300.100.1.1 (uid)
• OIDC scope: profile
• Single-valued
• Example: mdougher

"email"

• SAML Attribute: eduPersonPrincipalName
• OIDC scope: email
• Issues: Mandatory in OIDC claim as a single value. Not all users have email defined. (urn:oid:0.9.2342.19200300.100.1.3 (email))
• Single-valued
• Propose to use eduPersonPrincipalName
• Example: mdougher@stanford.edu

"eduPersonScopedAffiliation"

• SAML Attriutes: urn:oid:1.3.6.1.4.1.5923.1.1.1.9 (eduPersonScopedAffiliation)
• OIDC scope: eduperson_scoped_affiliation
• Multi-valued
• Examples: member@stanford.edu staff@stanford.edu

"eduPersonEntitlement"

• SAML urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
• OIDC scope: eduperson_entitlement
• Multi-valued
• Examples: stanford:stanford stem:workgroup

"groups"

• SAML urn:oid:1.3.6.1.4.1.5923.1.1.1.7 (eduPersonEntitlement)
• OIDC scope: eduperson_entitlement
• Multi-valued, json array format
• Examples: ["stanford:stanford", "stem:workgroup"]

"eduPersonAssurance"

• SAML Attribute: urn:oid:1.3.6.1.4.1.5923.1.1.1.11 (eduPersonAssurance)
• OIDC scope: eduperson_assurance
• Multi-valued
• Examples:
  • https://refeds
  • https://refeds/ID/unique
  • https://refeds/ID/eppn-unique-no-reassign
  • https://refeds/IAP/low
  • https://refeds/ATP/ePA-1m

References

• Geant's Attriutes Available to Relying Parties
• REFEDS eduPerson Definition