Legend
This document makes use of various formatting options to express how the description should be interpreted.
| Formatting | Description | 
|---|---|
| 'code' | Literal values to be used | 
| RP_client_id | Parameter substitution required | 
| Implementation suggestion | |
| Implementation requirement | 
Provider info endpoint
Roland please provide some input..
| Parameter Name | Value | State | 
|---|---|---|
| issuer | the global service url (https://tbd.inacademia.org/foo) For dev/testing the FQDN of the server | Required | 
| authorization_endpoint | URL of the global service Authorization Endpoint (https://tbd.inacademia.org/foo/authorize) For dev/testing the FQDN of the server is used instead of the global service FQDN | Required | 
| jwks_uri | A URL pointing to the servers keys | Required | 
| scopes_supported | A list of supported scopes | Required | 
| response_types_supported | 'id_token' | Required | 
| subject_types_supported | 'public' and 'pairwise' | Optional | 
| id_token_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT | Required | 
| service_documentation | URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider | Optional | 
Keys will be rolled over every 10 minutes, 3 keys max are accepted
Client database
The RP client database is filled in the Admin section, and will be provided via an MDX service. The MDX RP client database will contain:
- Redirect URI(s)
- Contact information
- Service information (Logo, Display name, Description)
- A client key and secret
| Parameter name | Value | State | 
|---|---|---|
| redirect_uris | Array of Redirection URI values used by the Client | Required | 
| response_types | 'id_token' | Recommended | 
| contacts | Array of e-mail addresses of people responsible for this Client | Required | 
| client_name | Name of the Client to be presented to the End-User | Recommended | 
| sector_identifier_uri | The URL references a file with a single JSON array of redirect_uri values | Optional | 
| logo_uri | ||
| client_uri | ||
| policy_uri | ||
| tos_uri | 
RP Request parameters
| Parameter Name | Value | State | 
|---|---|---|
| response_type | 'id_token' | Required | 
| client_id | RP client_id | Required | 
| scope | Multiple values allowed, based on policy. See scope mapping table below | Required | 
| redirect_uri | URL to send response to. 
 | Required | 
| state | opaque string which maintains state between RP and OP | Recommended | 
| nonce | String value to associate Client session with ID Token. Prevents replay attacks 
 | Recommended | 
| max_age | The max age of the authentication. 
 
 | Optional | 
| all other | Will be ignored | Ignored | 
OP Response parameters
| Parameter Name | Value | State | 
|---|---|---|
| token_type | 'Bearer' | Required | 
| id_token | See id_token definition below | Required | 
| state | opaque string which maintains state between RP and OP | Required, if requested | 
| all other | Will be ignored | Ignored | 
KID: The Key ID will be constructed on a per node basis by hashing over (IP + timestamp)
id_token
The transaction response will contain an ID Token with the following contents:
| Parameter Name | Value | Implement? | 
|---|---|---|
| sub | Based on scope requested, mapping table. 
 | Required | 
| exp | 30 min after NOW() | Required | 
| iss | the global service url (https://tbd.inacademia.org/foo) For dev/testing the FQDN of the server | Required | 
| aud | RP client_id | Required | 
| iat | timestamp | Required | 
| auth_time | timestamp indicating when the SAML authN responce was recieved at the SvS SP | Required | 
| nonce | String value to associate Client session with ID Token. Prevents replay attacks | Required, if requested | 
id_token Claims
(All claims are optional, which to deliver depends on requested scope parameters and the allowed scope for the RP)
| Name | Value | 
|---|---|
| country | The country code of the institution that handled the AuthNFormat: ISO_3166-1_alpha-3 | 
| domain | Specifies a person ́s home organization using the domain name of the organization Format: Domain name according to RFC 1035 | 
OIDC scope definitions & SAML SP profiles
| Scope | Description | Subject ID value | Available for SAML SP profile | |
|---|---|---|---|---|
| Identifier Claims | Claims that present a transaction identifier, either transient or persistent. To be used in to fill the 'sub' part of the id_token | |||
| persistent | A persistent identifier, unique for this person, on a per RP, per IdP basis. | pairwise persistent | SP_ID, SP_NOID | The pairwise persistent Subject ID is created using a hash over RP client_id + {SAML NameID or eduPersonTargetedID or ePPN \} + IdP entityID | 
| transient | A transient identifier, which is unique for each transaction | SP_NOID | Could/Should this be the KID? | |
| Affiliation Claims | These claims establish the persons affiliation with the home institution. These scope request parameters are mutually exclusive | |||
| affiliated | Is this person affiliated to the institution? | SP_ID, SP_NOID | eduPersonAffiliation: faculty, staff, student or member 
 | |
| student | Is this person a student at the institution? | SP_ID, SP_NOID | eduPersonAffiliation: student | |
| faculty+staff | Institutional workers whose primary role is teaching or research (faculty) and workers other than teachers or researchers (staff) | SP_ID, SP_NOID | eduPersonAffiliation: staff or faculty 
 | |
| alum | Is this person an alumni at the institution? | SP_ID, SP_NOID | eduPersonAffiliation: alum 
 | |
| Other Claims | Additional claims an RP may request | |||
| country | What is the country of the users home institution? | SP_ID, SP_NOID | Derived from country information for the federation hosting the IdP, formatted as ISO_3166-1_alpha-3 | |
| domain | What is the domain name of the institution of the user? | SP_ID, SP_NOID | SchacHomeOrganisation | 
Examples:
scope=affiliated
scope=affiliated persistent
scope=affiliated persistent country
scope=student persistent country
scope=student persistent country domain
Sources:
http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf
