Legend

This document makes use of various formatting options to express how the description should be interpreted.

FormattingDescription
'code'Literal values to be used
RP_client_idParameter substitution required
(lightbulb)Implementation suggestion
(warning)Implementation requirement

 

Provider info endpoint

Roland please provide some input..

Parameter NameValueState
issuer

the global service url (https://tbd.inacademia.org/foo)

For dev/testing the FQDN of the server

Required
authorization_endpoint

URL of the global service Authorization Endpoint (https://tbd.inacademia.org/foo/authorize)

For dev/testing the FQDN of the server is used instead of the global service FQDN

Required
jwks_uriA URL pointing to the servers keysRequired
scopes_supportedA list of supported scopesRequired
response_types_supported

'id_token'

Required
subject_types_supported'public' and 'pairwise'Optional
id_token_signing_alg_values_supportedJSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWTRequired
service_documentationURL of a page containing human-readable information that developers might want or need to know when using the OpenID ProviderOptional


Keys will be rolled over every 10 minutes, 3 keys max are accepted

 

Client database

The RP client database is filled in the Admin section, and will be provided via an MDX service. The MDX RP client database will contain:

  • Redirect URI(s)
  • Contact information
  • Service information (Logo, Display name, Description)
  • A client key and secret

 

Parameter nameValueState
redirect_urisArray of Redirection URI values used by the ClientRequired
response_types'id_token'Recommended
contactsArray of e-mail addresses of people responsible for this ClientRequired
client_nameName of the Client to be presented to the End-UserRecommended
sector_identifier_uriThe URL references a file with a single JSON array of redirect_uri valuesOptional
logo_uri  
client_uri  
policy_uri  
tos_uri  

 

 

RP Request parameters

Parameter NameValueState
response_type'id_token'Required
client_idRP client_idRequired
scopeMultiple values allowed, based on policy. See scope mapping table belowRequired
redirect_uri

URL to send response to.

(warning) MUST match preconfigured URI for this RP client ID

Required
stateopaque string which maintains state between RP and OP
(warning)  MUST be included in relay state to be send to SAML SP and back to RP		Recommended
nonce

String value to associate Client session with ID Token. Prevents replay attacks
(warning) MUST be passed on to the nonce in the response untouched

(warning) MUST be included in relay state to be send to SAML SP and back to RP

Recommended
max_age

The max age of the authentication.

(lightbulb) We can ignore this as we will always force IdP AuthN using FORCE AUTHN on the SAML side for each authentication

(warning) We will always implement auth_time claim in the response so we can deal with a requested max age.

Optional
all otherWill be ignoredIgnored

OP Response parameters

Parameter NameValueState
token_type'Bearer'Required
id_tokenSee id_token definition belowRequired
stateopaque string which maintains state between RP and OP
(warning)  Was included in relay state to SAML IdP

Required,

if requested

all otherWill be ignoredIgnored

KID: The Key ID will be constructed on a per node basis by hashing over (IP + timestamp)

id_token

The transaction response will contain an ID Token with the following contents:

Parameter NameValueImplement?
sub

Based on scope requested, mapping table.

(warning) MUST NOT exceed 256 characters

Required
exp30 min after NOW()Required
iss

the global service url (https://tbd.inacademia.org/foo)

For dev/testing the FQDN of the server

Required
audRP client_idRequired
iattimestamp
(warning) a JSON number representing seconds since Jan 1, 1970		Required
auth_timetimestamp indicating when the SAML authN responce was recieved at the SvS SP
(warning) a JSON number representing seconds since Jan 1, 1970		Required
nonce

String value to associate Client session with ID Token. Prevents replay attacks
(warning) Was passed based on to the nonce in the request untouched

(warning) Was included in relay state AND returnd from the SP

Required,

if requested

id_token Claims

(All claims are optional, which to deliver depends on requested scope parameters and the allowed scope for the RP)

NameValue
countryThe country code of the institution that handled the AuthNFormat: ISO_3166-1_alpha-3
domainSpecifies a person ́s home organization using the domain name of the organization
Format: Domain name according to RFC 1035

 

OIDC scope definitions & SAML SP profiles

ScopeDescriptionSubject ID value

Available for

SAML SP profile

(warning) SAML attribute values
Identifier ClaimsClaims that present a transaction identifier, either transient or persistent. To be used in to fill the 'sub' part of the id_token   
persistentA persistent identifier, unique for this person, on a per RP, per IdP basis.pairwise persistentSP_ID, SP_NOID

The pairwise persistent Subject ID is created using a hash over

RP client_id +

{SAML NameID or eduPersonTargetedID or ePPN \} +

IdP entityID

transientA transient identifier, which is unique for each transaction SP_NOIDCould/Should this be the KID?
     
Affiliation Claims

These claims establish the persons affiliation with the home institution.

These scope request parameters are mutually exclusive

   
affiliatedIs this person affiliated to the institution? SP_ID, SP_NOID

eduPersonAffiliation: faculty, staff, student or member

 

studentIs this person a student at the institution? SP_ID, SP_NOIDeduPersonAffiliation: student

faculty+staffInstitutional workers whose primary role is teaching or research (faculty) and workers other than teachers or researchers (staff) SP_ID, SP_NOID

eduPersonAffiliation: staff or faculty

 

alumIs this person an alumni at the institution? SP_ID, SP_NOID

eduPersonAffiliation: alum

 

     
Other ClaimsAdditional claims an RP may request   
countryWhat is the country of the users home institution? SP_ID, SP_NOIDDerived from country information for the federation hosting the IdP, formatted as ISO_3166-1_alpha-3
(warning) This should probably be part of the MDX info!
domainWhat is the domain name of the institution of the user? SP_ID, SP_NOIDSchacHomeOrganisation

Examples:

scope=affiliated
scope=affiliated persistent
scope=affiliated persistent country
scope=student persistent country
scope=student persistent country domain

 

Sources:

http://www.geant.net/service/eduGAIN/resources/Documents/GN3-11-012%20eduGAIN_attribute_profile-05%2012%202013.pdf

http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf

 

 





 

 

  • No labels