non-standard OIDC scopes

Wessel, Keith kwessel at illinois.edu
Mon Jun 8 20:02:10 UTC 2020 

That’s precisely what we’re doing at Illinois. Adding custom scopes, as I understand it, is not allowed. And I’ve been naming custom claims as outlined in that white paper. For some of those custom claims, I make them available to any client that includes them in requested claims as long as the user logging in isn’t FERPA suppressed. Other claims require explicit release from our side.

Keith


From: users <users-bounces at shibboleth.net> On Behalf Of Liam Hoekenga
Sent: Monday, June 8, 2020 2:59 PM
To: Shib Users <users at shibboleth.net>
Subject: non-standard OIDC scopes

Slightly off topic, but since I'm looking to define and release attributes using the Shib IDP, so slightly on topic?

For those of you who have deployed OIDC extension, what have you done for non-standard scopes and claims of useful data?

Realistically, I think my team needs to sit down and maybe draft a umich scope (or scopes)?  But in the meantime, I'm looking at attributes that are pretty common in SAML, but don't exist in one of the easily finable, defined standard OIDC scopes.

I have been using a whitepaper from REFEDS to inform my actions.. White Paper for implementation of 4 mappings between SAML 2.0 and OpenID 5 Connect in Research and Education<https://wiki.refeds.org/download/attachments/38895621/20181011-OIDC-WP.pdf>

..specifically the stuff under section 8, "Advance profile":

Therefore, going from SAML to OIDC:
● an underscore is used to separate words that would normally have a  space in natural language;
● the schema prefix of the attribute is retained, presented in lower case and separated by an underscore, and
● camel case is converted into lower case, and again using underscores to separate words.

which leads to scope names like eduperson org inetorgperson, and claims named eduperson_principal_name or inetorgperson_employee_number

I'm curious what other institutions are doing.

thanks!
Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200608/ebdf1580/attachment.htm>

More information about the users mailing list