PhenixID DocumentationPhenixID Authentication ServicesSolutions OpenIDConnect (OIDC) / OAuthUnderstanding SAML attributes - OIDC claims mapping, when using PhenixID Authentication Services as OP/SAML-SP bridge

Understanding SAML attributes - OIDC claims mapping, when using PhenixID Authentication Services as OP/SAML-SP bridge

This document describes how the mapping between SAML attributes and OIDC claims are made when PhenixID Authentication Services is used as an OpenID Connect Provider with a SAML SP as authorization method (this is the result when adding a provider through Scenarios->OIDC->SAML Identity Provider).

Incoming SAML attributes to session properties

The incoming SAML attributes will be added to the PhenixID Authentication Services session. The session property name will be the same as the saml attribute name. The session user_id will be set to the NameID value.

 

Example:

SAML Assertion extract:

        <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.dole</saml2:NameID>
        .
        .
        .
    <saml2:AttributeStatement>
        <saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">John</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Dole</saml2:AttributeValue>
        </saml2:Attribute>
         <saml2:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">john.dole@fictive.gov</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">sales_guy</saml2:AttributeValue>
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">market_man</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>

 

After the SAML response consumption, the PhenixID Authentication Services session will contain these properties:

- user_id = john.dole

- firstName = John

- LastName = Dole

- mail = john.dole@fictive.gov

- roles = [sales_guy,market_man]

Session properties to OIDC claims

id_token claims population

The id_token claims population is performed using the GenerateJWTTokenValve in the execution flow of the OpenID Connect Provider. Populate claims using session property expansion, based on the session properties in the previous step.

(Session property expansion only works on single values. For multi-values (for example roles in the above example), a supporting valve must be added to the flow prior to generating the JWT id_token. )

 

In this example the JWT is populated according to the session values populated above.

UserInfo claims population

When UserInfo (optional) has been added to the OpenID Connect Provider, the userinfo endpoint will point to a pipe that will add claims to the response using PropertyAddValve.

This pipe example populates and returns the same claims as above.

{
		"id": "userinfo",
		"valves": [
			{
                "name": "ItemCreateValve",
                "config": {
                    "dest_id": "userinfo_props"
                }
            },
            {
                "name": "PropertyAddValve",
                "config": {
                    "name": "authorization",
                    "value": "{{request.Authorization}}"
                }
            },
            {
                "name": "PropertyReplaceValve",
                "config": {
                    "source": "authorization",
                    "dest": "access_token",
                    "token": "Bearer ",
                    "replacement": ""
                }
            },
            {
                "name": "SessionResolveValve",
                "config": {
                    "alias": "{{item.access_token}}",
                    "require_session": "true",
                    "require_auth_session": "false"
                }
            },
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "sub",
					"value": "{{session.user_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "given_name",
					"value": "{{session.firstName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "family_name",
					"value": "{{session.LastName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "email",
					"value": "{{session.mail}}"
				}
			},
			{
				"name": "PropertyFromSessionToItem",
				"config": {
					"source": "roles"
				}
			},
			{
				"name": "PropertyRenameValve",
				"config": {
					"source": "roles",
					"dest": "role"
				}
			},
			{
  "name": "PropertyRemoveValve",
    "config": { 
              "name":"access_token,authorization"
    }
}
		],
		"created": "2017-11-13T09:53:46.595Z"
	}