NIEF Attributes within OIDC

From NIEF Wiki
Jump to navigation Jump to search

This page offers a discussion on the use of NIEF Attributes within OIDC as user claims. There are many viable approaches and no formally specified methodology for doing so at the time this wiki article was written.

OIDC Claims vs. SAML Attributes

A singular important difference between OIDC Claims and SAML Attributes is that SAML defines a framework for transmitting attributes, but essentially defines no attributes. It leaves attribute definition up to other specifications and/or communities. As such the NIEF attributes provided every attribute required for the NIEF community. OIDC defines numerous default claims that are redundant with existing NIEF attribute definitions (names, adddresses, etc.. ). To maximize interoperability, it may make sense to map NIEF attributes to OIDC claims for any case where a standardized OIDC claim has been specified.

Standard OIDC Claims

Google Sheets OIDC Claims Map

SAML Attribute Names

In general all OIDC claim names should be enumerated within the NIEF Attribute Registry for any attribute intended to be used within OIDC transactions. An OIDC claim name is generally unconstrained beyond being a string value. There may be some value in aligning with the OIDC default claims naming scheme of very short all lowercase names (may enhance interoperability), or it may make sense to use URLs for specific attributes within the NIEF attribute registry (may enhance clarity and semantics). That said the current test environment uses this mapping:

NIEF Attribute URL OIDC Claim OIDC Claim Source
https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0/ email OIDC Specification
https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0/ fedid Created for demo
https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0/ given_name OIDC Specification
https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0/ family_name OIDC Specification
https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0/ telephone_number OIDC Specification
https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0/ cfr Created for demo
https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0/ ori Created for demo
https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0/ aal Created for demo
https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0/ ial Created for demo
https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0/ pso Created for demo
https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0/ leo Created for demo