Scopes and Claims

The OIDC service is limited to edu-ID only configurations. It basically provides data from the personal part of an edu-ID. Optionally, affiliation data is available by using the extended attribute model.

SWITCH edu-ID currently does not support access to individual claims. The following scopes can be used by relying parties.

Scope openid

The openid scope is used for the standardized id token, according to the Section 2 of the OIDC specification.

Special remarks:

  • sub
    The claim sub (subject) is a pairwise-id and therefore a unique value per user and service. eduID offers pairwise-ids for a whole group of services, called a sector. Multiple RPs with the same sector, will get the same subject for each user. It is recommended to use the subject as main identifier by all RPs that are prohibited from requesting the swissEduPersonUniqueID claim from the swissEduIDBase scope. The value of sub is a base32 encoded hash value and must therefore be compared case insensitively.
  • nonce
    edu-ID supports nonces to mitigate replay attacks, and sending one is required for public clients. The OP (IdP) refuses to serve any public clients that do not send a nonce in their Authentication Request.

Scope profile

The profile scope requests access to the following claims:

The claims given_name, the family_name, and the name are string values and correspond to the SAML attributes givenName, surname, and displayName.

Scope email

The email scope requests access to the following claims:

  • email (spec)
  • email_verified

The claim email contains the primary email address of the edu-ID account. Since our registration process requires the users to verify that email address, the value of email_verified will always contain the boolean value true. This does, however, not imply that it is still an existing address, as we do not reverify it after it has been set as primary email address. Furthermore, the primary email address is the contact address as defined by the account owner and may therefore change over time.

Scope swissEduIDBase

The swissEduIDBase scope requests access to the following claims:

Please refer to the previous scopes for an explanation of these claims except for swissEduPersonUniqueID. This claim is based on the SAML swissEduPersonUniqueID and provides a unique identifier for each edu-ID account. This swissEduPersonUniqueID identifier is bound to the SWITCH edu-ID base identity and ends with (or in the test environment). It is not related to the swissEduPersonUniqueID identifiers provided by the organisations in current affiliations.

Scope swissEduIDExtended

The swissEduIDExtended scope requests access to the following claims:

  • swissEduIDAssociatedMail
    The claim swissEduIDAssociatedMail contains all currently associated email addresses of the user. The addresses were either added by the user as additional email address in the UI or by linking an affiliation.
  • swissEduIDLinkedAffiliation
    The claim swissEduIDLinkedAffiliation contains all eduPersonScopedAffiliation values of all linked current affiliations.
  • swissEduIDLinkedAffiliationMail
    The claim swissEduIDLinkedAffiliationMail contains all email addresses of all linked current affiliations.
  • swissEduIDLinkedAffiliationUniqueID
    The claim swissEduIDLinkedAffiliationUniqueID contains all swissEduPersonUniqueID values of all linked current affiliations.

All these claims are JSON arrays of strings and are part of the extended attribute model.

Scope swissEduIDGroups

The swissEduIDGroups scope requests access to the following claims:

  • eduPersonEntitlement (spec)

Scope offline_access (Refresh Token)

Clients that are configured for the scope offline_access receive a refresh token (OIDC Spec). The refresh token is particularly useful for personal mobile clients, to prevent a user from having to re-authenticate every day.

Refresh token properties:

  • refresh token lifetime: 30 days
  • the sucessful validation of the refresh token is a sucessful token response including an id_token.
  • the use of a refresh token is made transparent to the user. After authentication the consent screen contains the text:
    "If you accept, this app is allowed to retrieve identity data without further login for 30 days."
    A user may reject the consent and thus abort the login flow.

Clients that make use of refresh tokens should add an option to revoke it.

Claim swissEduID

The usage of this claim restricted to RPs in direct connection with organizational identity management systems

Reference: 5.5. Requesting Claims using the 'claims' Request Parameter.

Claim acr

See Development and Testing