This document makes use of various formatting options to express how the description should be interpreted.
|
Roland please provide some input..
| Parameter Name | Value | State |
|---|---|---|
| issuer | the global service url (https://tbd.inacademia.org/foo) For dev/testing the FQDN of the server | Required |
| authorization_endpoint | URL of the global service Authorization Endpoint (https://tbd.inacademia.org/foo/authorize) For dev/testing the FQDN of the server is used instead of the global service FQDN | Required |
| jwks_uri | A URL pointing to the servers keys | Required |
| scopes_supported | A list of supported scopes | Required |
| response_types_supported | 'id_token' | Required |
| subject_types_supported | 'public' and 'pairwise' | Optional |
| id_token_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT | Required |
| service_documentation | URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider | Optional |
Keys will be rolled over every 10 minutes, 3 keys max are accepted
The RP client database is filled in the Admin section, and will be provided via an MDX service. The MDX RP client database will contain:
| Parameter name | Value | State |
|---|---|---|
| redirect_uris | Array of Redirection URI values used by the Client | Required |
| response_types | 'id_token' | Recommended |
| contacts | Array of e-mail addresses of people responsible for this Client | Required |
| client_name | Name of the Client to be presented to the End-User | Recommended |
| sector_identifier_uri | The URL references a file with a single JSON array of redirect_uri values | Optional |
| logo_uri | ||
| client_uri | ||
| policy_uri | ||
| tos_uri |
| Parameter Name | Value | State |
|---|---|---|
| response_type | 'id_token' | Required |
| client_id | RP client_id | Required |
| scope | Multiple values allowed, based on policy. See scope mapping table below | Required |
| redirect_uri | URL to send response to.
| Required |
| state | opaque string which maintains state between RP and OP MUST be included in relay state to be send to SAML SP and back to RP | Recommended |
| nonce | String value to associate Client session with ID Token. Prevents replay attacks
| Recommended |
| max_age | The max age of the authentication.
| Optional |
| all other | Will be ignored | Ignored |
| Parameter Name | Value | State |
|---|---|---|
| token_type | 'Bearer' | Required |
| id_token | See id_token definition below | Required |
| state | opaque string which maintains state between RP and OP Was included in relay state to SAML IdP | Required, if requested |
| all other | Will be ignored | Ignored |
KID: The Key ID will be constructed on a per node basis by hashing over (IP + timestamp)
The transaction response will contain an ID Token with the following contents:
| Parameter Name | Value | Implement? |
|---|---|---|
| sub | Based on scope requested, mapping table.
| Required |
| exp | 30 min after NOW() | Required |
| iss | the global service url (https://tbd.inacademia.org/foo) For dev/testing the FQDN of the server | Required |
| aud | RP client_id | Required |
| iat | timestamp a JSON number representing seconds since Jan 1, 1970 | Required |
| auth_time | timestamp indicating when the SAML authN responce was recieved at the SvS SP a JSON number representing seconds since Jan 1, 1970 | Required |
| nonce | String value to associate Client session with ID Token. Prevents replay attacks Was included in relay state AND returnd from the SP | Required, if requested |
(All claims are optional, which to deliver depends on requested scope parameters and the allowed scope for the RP)
| Name | Value |
|---|---|
| country | The country code of the institution that handled the AuthNFormat: ISO_3166-1_alpha-3 |
| domain | Specifies a person ́s home organization using the domain name of the organization Format: Domain name according to RFC 1035 |
| Scope | Description | Subject ID value | Available for SAML SP profile | SAML attribute values |
|---|---|---|---|---|
| Identifier Claims | Claims that present a transaction identifier, either transient or persistent. To be used in to fill the 'sub' part of the id_token | |||
| persistent | A persistent identifier, unique for this person, on a per RP, per IdP basis. | pairwise persistent | SP_ID, SP_NOID | The pairwise persistent Subject ID is created using a hash over RP client_id + {SAML NameID or eduPersonTargetedID or ePPN \} + IdP entityID |
| transient | A transient identifier, which is unique for each transaction | SP_NOID | Could/Should this be the KID? | |
| Affiliation Claims | These claims establish the persons affiliation with the home institution. These scope request parameters are mutually exclusive | |||
| affiliated | Is this person affiliated to the institution? | SP_ID, SP_NOID | eduPersonAffiliation: faculty, staff, student or member
| |
| student | Is this person a student at the institution? | SP_ID, SP_NOID | eduPersonAffiliation: student | |
| faculty+staff | Institutional workers whose primary role is teaching or research (faculty) and workers other than teachers or researchers (staff) | SP_ID, SP_NOID | eduPersonAffiliation: staff or faculty
| |
| alum | Is this person an alumni at the institution? | SP_ID, SP_NOID | eduPersonAffiliation: alum
| |
| Other Claims | Additional claims an RP may request | |||
| country | What is the country of the users home institution? | SP_ID, SP_NOID | Derived from country information for the federation hosting the IdP, formatted as ISO_3166-1_alpha-3 This should probably be part of the MDX info! | |
| domain | What is the domain name of the institution of the user? | SP_ID, SP_NOID | SchacHomeOrganisation |
Examples:
scope=affiliated
scope=affiliated persistent
scope=affiliated persistent country
scope=student persistent country
scope=student persistent country domain
Sources:
http://www.terena.org/activities/refeds/docs/ePSAcomparison_0_13.pdf
