...
Most services require extra information about the authenticated user, such as name, email address or affiliation. In OpenID Connect (OIDC), this extra information comes in the form of claims, whereas in SAML, claims are called attributes. In SURFconext, the user authenticates at his Identity Provider (called OpenID Provider in OIDC) - this all happens using SAML. SURFconext translates the incoming SAML attributes to OIDC claims and provides them at the userinfo endpoint for your Service Provider to (called Relying Party in OIDC) to consume.
| Info |
|---|
Please note: SURFconext only caches the claims at the userinfo endpoint for a limited amount of time, namely 1 hour (after a successful authentication). If you request claims at the userinfo endpoint after this, the user is required to re-authenticate. |
...