NIEF Attributes within OIDC

From GFIPM Implementation Wiki
Jump to: navigation, search


This page offers a discussion on the use of NIEF Attributes within OIDC as user claims. There are many viable approaches and no formally specified methodology for doing so at the time this wiki article was written.

OIDC Claims vs. SAML Attributes

A singular important difference between OIDC Claims and SAML Attributes is that SAML defines a framework for transmitting attributes, but essentially defines no attributes. It leaves attribute definition up to other specifications and/or communities. As such the NIEF attributes provided every attribute required for the NIEF community. OIDC defines numerous default claims that are redundant with existing NIEF attribute definitions (names, adddresses, etc.. ). To maximize interoperability, it may make sense to map NIEF attributes to OIDC claims for any case where a standardized OIDC claim has been specified.

Standard OIDC Claims

Google Sheets OIDC Claims Map

SAML Attribute Names

In general all OIDC claim names should be enumerated within the NIEF Attribute Registry for any attribute intended to be used within OIDC transactions. An OIDC claim name is generally unconstrained beyond being a string value. There may be some value in aligning with the OIDC default claims naming scheme of very short all lowercase names (may enhance interoperability), or it may make sense to use URLs for specific attributes within the NIEF attribute registry (may enhance clarity and semantics). That said the current test environment uses this mapping:

NIEF Attribute URL OIDC Claim OIDC Claim Source email OIDC Specification fedid Created for demo given_name OIDC Specification family_name OIDC Specification telephone_number OIDC Specification cfr Created for demo ori Created for demo aal Created for demo ial Created for demo pso Created for demo leo Created for demo