Trust and Internet Identity Meeting Europe
5-6 Feb 2018: Workshops and Tutorials
7-8 Feb 2018: Unconference

TIIME 2017: Session 7 Mapping between (e.g.) SAML & OIDC attributes

(Mischa Sallé)

Best practice - SAML – OIDC attributes/claims mapping

Various attempts

Started with informal group. REFEDS mailing list archive:

Wiki page:

RFC working doc:

Planning/mapping spreadsheet:

A few people (Niels van Dijk, Jim Basney, ..) discussed this already and presented this at EWTI December 2015.

Notes from the previous EWTI session:

We have a distributed federation in the SAML world whereas OIDC does not, although some work is going on.

Very pragmatic thing where we come up with a best-practice-recommendation in SAML. In the end it is always an implementation-choice if you do mapping.

Markus is displaying documents from the OIDCre wiki:

Straight mapping from A to B

At the mapping "I want to make sure that it goes both ways".

We are talking about page 24 in

It shows a mapping of eduperson to oidc attributes. Remark: sub is not scoped, but local. To be unambiguous you need to write iss+sub.

We should define something so that anybody can participate to work on this.

Two mapping strategies in use at the same time: map some of the basic information (should work with a basic client out-of-the-box). Next: additional profile to provide mapping to claims that have the complete set of eduPerson attributes

Extensions for clients for advanced scenarios.

Next we see a table. All that is yellow is problematic.

Potential issues (Column "Remark"):

Roland can no longer chair the REFEDS OIDCre WG, Niels Van Dijk volunteers to pick it up.

Maarten is proposing to forward this as a strawman proposal to Nicole, and ask her to start a consultation in REFEDS. Registration can happen afterwards. Chances to have this recognized by the OCID group are low. The proposal should be limited to the R+S attribute.

It would be nice if Nils sends a message to Nicole at the end of the session.

First we will solve the simple mapping scenario:

How to deal with the identifier? Red parts at the table (gender birth date…). we should be able to come up with a safe list.

Niels' proposal for order of handling things:

  1. Simple mapping
  2. All (of the useful parts of) eduPerson/SCHAC
  3. R&S

Double-checking of what is the 'simple mapping' list:

-Identifier (proposal in comment from Tom Scavo on the OIDCre wiki

The problematic attributes:




We already have a global community to give feedback.


Everyone who wants can join the REFEDS OICDre ( working group.

Leif suggested to start a claims registry at IANA for having easy unambiguous handles to any OIDC/SAML/etc attribute. Actually there could be an IETF FO-working group for a couple topics, which would provide the resources for this.

There should be an IETF-workstream. We need to write a RFC.

Niels will be writing a proposal about what attributes to use.

Niels will present the conclusions in the summary session.