This page is a summary of the findings produced by the AARC project on the translation of authentication and authorization attributes from federated authentication credentials to X.509 credentials. This page shows examples of translation between SAML2 attributes and X.509, but the same principles are applicable to OpenID Connect sources of attributes.
The goal of this short document is to suggest a common way to encode in X.509 credentials authentication and authorization, to increase the re-usability and interoperability of X.509 credentials generated by token translation services.
Authentication and authorization information separation
Where:
"Authentication information" means the information that define the identity of the user such as for example, name, unique identifier or organization.
"Authorization information" means the information that are used to define if a user is entitled to access a service: group membership (virtual organization membership), sub-group membership or roles.
Although this may not be the interpretation