Email Verification Status Discrepancy between SAML and OIDC

[NicolasLiampotis]

Description

In OIDC , the email claim includes the preferred email address of the subject, accompanied by the email_verified claim indicating the verification status (boolean). However, in SAML, the inetOrgPerson mail attribute defined in RFC4524 is multi-valued and lacks an explicit indication of verification status.

One of the challenges identified in AARC-G056, is the discrepancy in how email verification status is conveyed between SAML and OIDC:

• OIDC: Uses a single-valued email claim with a boolean email_verified claim.
• SAML: Typically employs the inetOrgPerson multi-valued mail attribute without a verification status indicator. The voPerson schema v2.0 defined the voPersonVerifiedEmail as an email address of the same definition as the inetOrgPerson mail attribute, with the additional characteristic that the address has been verified as being controlled by the subject of the record.

Related Standards

• OIDC: OpenID Connect Core 1.0
• SAML: RFC4524 inetOrgPerson mail attribute and voPerson schema v2.0: voPersonVerifiedEmail

We need to define how email verification status can be uniformly expressed across SAML and OIDC within the AARC profile. Consider implications for attribute release policies and privacy concerns

Related Issues

• 5