What would I get by default from OpenAthens Keystone?
The preconfigured rules will take care of many SAML attributes and Keystone will output several claims from a standard OpenAthens login:
sub- a non-persistent user identifier.
realmName- the SAML entityID of the end-users' organisation - e.g.
Issuer.errorURL- where present will be a URL a user can be sent to when you can't let them in because of something at their end. See: The errorURL attribute and what it is for
eduPersonScopedAffiliation- a scoped role - e.g.
derivedEduPersonAffiliation- just the role bit extracted from the thing above - e.g.
derivedEduPersonScope- just the scope bit, etc - e.g.
- One or both of these identifiers depending on the identity provider
eduPersonTargetedID- a persistent user identifier, being depreciated in many federations
pairwiseID- a persistent user identifier that is replacing
There may be more, depending on what the identity provider is sending, but these should always show up.
Common OpenID Connect claims
These are the common claims that OIDC typically uses. Most of them are not sent to you via Keystone by default because none of them have a direct equivalent in SAML that is always sent.
We include them here for anyone that has an existing OpenID Connect instance that is already talking to other providers, or are planning one, to help plan any attribute mappings.
The only one of these you can expect to always get from all providers is 'sub'.
|OIDC Claim||What it is||Example value||SAML equivilent (if any)|
|name||End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.|
Professor Albus Percival Wulfric Brian Dumbledore
|given_name||Given name(s) or first name(s) of the End-User. In some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.||Albus|
|family_name||Surname(s) or last name(s) of the End-User. In some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.||Dumbledore|
|middle_name||Middle name(s) of the End-User. In some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.||Percival Wulfric Brian|
|nickname||Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Bob might be returned alongside a given_name value of Robert.||Alby|
|preferred_username||Shorthand name by which the End-User wishes to be referred to at the Relying Party, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. Unlikely to be unique||D-wiz|
|profile||URL of the End-User's profile page.||http://staff.hogwarts.sch.uk/headmaster|
|picture||URL of the End-User's profile picture.|
|website||URL of the End-User's Web page or blog. Might be that of their organisation.||http://www.hogwarts.sch.uk|
|End-User's preferred e-mail address. May be email@example.com|
|gender||End-User's gender. Could be any string.||dude|
|birthdate||End-User's birthday, represented as an ISO 8601:2004 YYYY-MM-DD format.||1881-04-12|
|zoneinfo||String from zoneinfo time zone database representing the End-User's time zone.||Europe/London|
|locale||End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 language code in lowercase and an ISO 3166-1 Alpha-2 country code in uppercase, separated by a dash.||en-UK|
|phone_number||End-User's preferred telephone number.||+44 (0) 1464 96787|
|address||End-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure.|
Hogwarts School of Witchcraft and Wizardry,
|updated_at||Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z.|