What would I get by default from OpenAthens Keystone?

The preconfigured rules will take care of many SAML attributes and Keystone will output several claims from a standard OpenAthens login:

  • sub - a non-persistent user identifier.
  • realmName - the SAML entityID of the end-users' organisation - e.g. https://idp.hogwarts.sch.uk/openathens 
  • Issuer.errorURL - where present will be a URL a user can be sent to when you can't let them in because of something at their end. See: The errorURL attribute and what it is for

  • eduPersonScopedAffiliation - a scoped role - e.g. member@hogwarts.sch.uk 
  • derivedEduPersonAffiliation - just the role bit extracted from the thing above - e.g. member
  • derivedEduPersonScope - just the scope bit, etc - e.g. hogwarts.sch.uk 
  • One or both of these identifiers depending on the identity provider
    • eduPersonTargetedID - a persistent user identifier, being depreciated in many federations 
    • pairwiseID - a persistent user identifier that is replacing eduPersonTargetedID

There may be more, depending on what the identity provider is sending, but these should always show up. 

Common OpenID Connect claims

These are the common claims that OIDC typically uses. Most of them are not sent to you via Keystone by default because none of them have a direct equivalent in SAML that is always sent.

We include them here for anyone that has an existing OpenID Connect instance that is already talking to other providers, or are planning one, to help plan any attribute mappings.

The only one of these you can expect to always get from all providers is 'sub'.

OIDC ClaimWhat it isExample valueSAML equivilent (if any)


nameEnd-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.

Professor Albus Percival Wulfric Brian Dumbledore

given_nameGiven name(s) or first name(s) of the End-User. In some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.Albus
family_nameSurname(s) or last name(s) of the End-User. In some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.Dumbledore
middle_nameMiddle name(s) of the End-User. In some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.Percival Wulfric Brian
nicknameCasual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Bob might be returned alongside a given_name value of Robert.Alby


(rarely used)

preferred_usernameShorthand name by which the End-User wishes to be referred to at the Relying Party, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. Unlikely to be uniqueD-wiz
profileURL of the End-User's profile page.http://staff.hogwarts.sch.uk/headmaster
pictureURL of the End-User's profile picture.http://staff.hogwarts.sch.uk/media/dumbledore_headshot.png
websiteURL of the End-User's Web page or blog. Might be that of their organisation.http://www.hogwarts.sch.uk
emailEnd-User's preferred e-mail address. May be non-unique.headmaster@hogwarts.sch.uk
genderEnd-User's gender. Could be any string.dude
birthdateEnd-User's birthday, represented as an ISO 8601:2004 YYYY-MM-DD format.1881-04-12
zoneinfoString from zoneinfo time zone database representing the End-User's time zone.Europe/London
localeEnd-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 language code in lowercase and an ISO 3166-1 Alpha-2 country code in uppercase, separated by a dash.en-UK
phone_numberEnd-User's preferred telephone number.+44 (0) 1464 96787
addressEnd-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure.

Hogwarts School of Witchcraft and Wizardry,


updated_atTime the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z.