When you connect to SURFconext you can use several standards to connect. Different standards result in different protocols and in their turn tend to use a jargon specific to that standard. It will probably not surprise you that this is the case with OpenID Connect. This page depicts how to translate SAML attributes to OpenID Connect claims.
OpenID Connect Claims and SAML attributes
Most services require extra information about the authenticated user, such as name, email address or affiliation. In OpenID Connect (OIDC), this extra information comes in the form of claims, whereas in SAML, claims are called attributes. In SURFconext, the user authenticates at his Identity Provider (called OpenID Provider in OIDC) - this all happens using SAML. SURFconext translates the incoming SAML attributes to OIDC Claims and provides them at the userinfo endpoint for your Service Provider (called Relying Party in OIDC) to consume.
Please note: SURFconext only caches the claims at the userinfo endpoint for a limited amount of time: 1 hour (after a successful authentication). If you request claims at the userinfo endpoint after this, the user is required to re-authenticate.
An extensive list of SAML attributes together with their details and properties can be fond on our support page about attributes. Those SAML attributes are provided by institutions connected to SURFconext as Identity Provider. You can use any of those attributes in your service (SURFconext translates them to OpenID Connect claims), however you must comply with our data minimisation policy, meaning you are only allowed to receive the bare minimum of attributes strictly needed for you to operate your service.
The following table describes the translation from OIDC claims to SAML attributes:
| OIDC claim | SAML Attribute | Description of attribute |
|---|---|---|
sub | OpenID Subject (not available as SAML attribute) | |
given_name | urn:mace:dir:attribute-def:givenName | Given name |
family_name | urn:mace:dir:attribute-def:sn | Surname |
name | urn:mace:dir:attribute-def:cn | Common name (e.g. Prof.dr. John Doe) |
nickname | urn:mace:dir:attribute-def:displayName | Display name (e.g. Prof.dr. Jane Doe) |
preferred_username | urn:mace:dir:attribute-def:displayName | Display name (e.g. Prof.dr. Jane Doe) |
locale | urn:mace:dir:attribute-def:preferredLanguage | Preferred language (e.g. nl, en) |
urn:mace:dir:attribute-def:mail | Email address | |
schac_home_organization | urn:mace:terena.org:attribute-def:schacHomeOrganization | Organization (e.g. university.nl) |
schac_home_organization_type | urn:mace:terena.org:attribute-def:schacHomeOrganizationType | Organization type (e.g. educationInstitution, universityHospital) |
edu_person_affiliations | urn:mace:dir:attribute-def:eduPersonAffiliation | Affiliation (student, employee, etc) |
edu_person_scoped_affiliations | urn:mace:dir:attribute-def:eduPersonScopedAffiliation | Scoped affiliation (e.g. student@uniharderwijk.nl, faculty@uniharderwijk.nl ) |
edu_person_targeted_id | urn:mace:dir:attribute-def:eduPersonTargetedID | eduPersonTargetedID (This is a copy of the SURFconext generated NameID) |
uids | urn:mace:dir:attribute-def:uid | UID |
schac_personal_unique_codes | urn:schac:attribute-def:schacPersonalUniqueCode | Personal code (e.g. student number) |
edu_person_principal_name | urn:mace:dir:attribute-def:eduPersonPrincipalName | EduPersonPrincipleName (This is a scoped identifier. e.g. piet@studenthartingcollege.nl) |
edu_person_entitlements | urn:mace:dir:attribute-def:eduPersonEntitlement | eduPersonEntitlement (e.g. urn:x-surfnet:surf.nl:surfdrive:quota:100) |