Legend
This document makes use of various formatting options to express how the description should be interpreted.
Formatting | Description |
---|---|
'code' | Literal values to be used |
RP_client_id | Parameter substitution required |
Implementation suggestion | |
Implementation requirement |
Provider info endpoint
Roland please provide some input..
Parameter Name | Value | State |
---|---|---|
issuer | the global service url (https://tbd.inacademia.org/foo) For dev/testing the FQDN of the server | Required |
authorization_endpoint | URL of the global service Authorization Endpoint (https://tbd.inacademia.org/foo/authorize) For dev/testing the FQDN of the server is used instead of the global service FQDN | Required |
jwks_uri | A URL pointing to the servers keys | Required |
scopes_supported | A list of supported scopes | Required |
response_types_supported | 'id_token' | Required |
subject_types_supported | 'public' and 'pairwise' | Optional |
id_token_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT | Required |
service_documentation | URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider | Optional |
Keys will be rolled over every 10 minutes, 3 keys max are accepted
Client database
The RP client database is filled in the Admin section, and will be provided via an MDX service. The MDX RP client database will contain:
- Redirect URI(s)
- Contact information
- Service information (Logo, Display name, Description)
- A client key and secret
Parameter name | Value | State |
---|---|---|
redirect_uris | Array of Redirection URI values used by the Client | Required |
response_types | 'id_token' | Recommended |
contacts | Array of e-mail addresses of people responsible for this Client | Required |
client_name | Name of the Client to be presented to the End-User | Recommended |
sector_identifier_uri | The URL references a file with a single JSON array of redirect_uri values | Optional |
logo_uri | ||
client_uri | ||
policy_uri | ||
tos_uri |
RP Request parameters
Parameter Name | Value | State |
---|---|---|
response_type | 'id_token' | Required |
client_id | RP client_id | Required |
scope | Multiple values allowed, based on policy. See scope mapping table below | Required |
redirect_uri | URL to send response to. MUST match preconfigured URI for this RP client ID | Required |
state | opaque string which maintains state between RP and OP MUST be included in relay state to be send to SAML SP and back to RP | Recommended |
nonce | String value to associate Client session with ID Token. Prevents replay attacks MUST be included in relay state to be send to SAML SP and back to RP | Recommended |
max_age | The max age of the authentication. We can ignore this as we will always force IdP AuthN using FORCE AUTHN on the SAML side for each authentication We will always implement auth_time claim in the response so we can deal with a requested max age. | Optional |
all other | Will be ignored | Ignored |
OP Response parameters
Parameter Name | Value | State |
---|---|---|
token_type | 'Bearer' | Required |
id_token | See id_token definition below | Required |
state | opaque string which maintains state between RP and OP Was included in relay state to SAML IdP | Required, if requested |
all other | Will be ignored | Ignored |
KID: The Key ID will be constructed on a per node basis by hashing over (IP + timestamp)
id_token
The transaction response will contain an ID Token with the following contents:
Parameter Name | Value | Implement? |
---|---|---|
sub | Based on scope requested, mapping table. MUST NOT exceed 256 characters | Required |
exp | 30 min after NOW() | Required |
iss | the global service url (https://tbd.inacademia.org/foo) For dev/testing the FQDN of the server | Required |
aud | RP client_id | Required |
iat | timestamp a JSON number representing seconds since Jan 1, 1970 | Required |
auth_time | timestamp indicating when the SAML authN responce was recieved at the SvS SP a JSON number representing seconds since Jan 1, 1970 | Required |
nonce | String value to associate Client session with ID Token. Prevents replay attacks | Required, if requested |
id_token Claims
(All claims are optional, which to deliver depends on requested scope parameters and the allowed scope for the RP)
Name | Value |
---|---|
country | The country code of the institution that handled the AuthNFormat: ISO_3166-1_alpha-3 |
domain | Specifies a person ́s home organization using the domain name of the organization Format: Domain name according to RFC 1035 |
OIDC scope definitions & SAML SP profiles
Scope | Description | Subject ID value | Available for SAML SP profile | SAML attribute values |
---|---|---|---|---|
Identifier Claims | Claims that present a transaction identifier, either transient or persistent. To be used in to fill the 'sub' part of the id_token | |||
persistent | A persistent identifier, unique for this person, on a per RP, per IdP basis. | pairwise persistent | SP_ID, SP_NOID | The pairwise persistent Subject ID is created using a hash over RP client_id + {SAML NameID or eduPersonTargetedID or ePPN \} + IdP entityID |
transient | A transient identifier, which is unique for each transaction | SP_NOID | Could/Should this be the KID? | |
Affiliation Claims | These claims establish the persons affiliation with the home institution. These scope request parameters are mutually exclusive | |||
affiliated | Is this person affiliated to the institution? | SP_ID, SP_NOID | eduPersonAffiliation: faculty, staff, student or member
| |
student | Is this person a student at the institution? | SP_ID, SP_NOID | eduPersonAffiliation: student | |
faculty+staff | Institutional workers whose primary role is teaching or research (faculty) and workers other than teachers or researchers (staff) | SP_ID, SP_NOID | eduPersonAffiliation: staff or faculty
| |
alum | Is this person an alumni at the institution? | SP_ID, SP_NOID | eduPersonAffiliation: alum
| |
Other Claims | Additional claims an RP may request | |||
country | What is the country of the users home institution? | SP_ID, SP_NOID | Derived from country information for the federation hosting the IdP, formatted as ISO_3166-1_alpha-3 This should probably be part of the MDX info! | |
domain | What is the domain name of the institution of the user? | SP_ID, SP_NOID | SchacHomeOrganisation |
Examples:
scope=affiliated
scope=affiliated persistent
scope=affiliated persistent country
scope=student persistent country
scope=student persistent country domain
Sources:
http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf