In OIDC , the email claim includes the preferred email address of the subject, accompanied by the email_verified claim indicating the verification status (boolean). However, in SAML, the inetOrgPerson mail attribute defined in RFC4524 is multi-valued and lacks an explicit indication of verification status.
One of the challenges identified in AARC-G056, is the discrepancy in how email verification status is conveyed between SAML and OIDC:
OIDC: Uses a single-valued email claim with a boolean email_verified claim.
SAML: Typically employs the inetOrgPerson multi-valued mail attribute without a verification status indicator. The voPerson schema v2.0 defined the voPersonVerifiedEmail as an email address of the same definition as the inetOrgPerson mail attribute, with the additional characteristic that the address has been verified as being controlled by the subject of the record.
Related Standards
OIDC: OpenID Connect Core 1.0
SAML: RFC4524 inetOrgPerson mail attribute and voPerson schema v2.0: voPersonVerifiedEmail
We need to define how email verification status can be uniformly expressed across SAML and OIDC within the AARC profile.
Consider implications for attribute release policies and privacy concerns
Description
In OIDC , the
email
claim includes the preferred email address of the subject, accompanied by theemail_verified
claim indicating the verification status (boolean). However, in SAML, the inetOrgPersonmail
attribute defined in RFC4524 is multi-valued and lacks an explicit indication of verification status.One of the challenges identified in AARC-G056, is the discrepancy in how email verification status is conveyed between SAML and OIDC:
email
claim with a booleanemail_verified
claim.mail
attribute without a verification status indicator. The voPerson schema v2.0 defined thevoPersonVerifiedEmail
as an email address of the same definition as the inetOrgPersonmail
attribute, with the additional characteristic that the address has been verified as being controlled by the subject of the record.Related Standards
We need to define how email verification status can be uniformly expressed across SAML and OIDC within the AARC profile. Consider implications for attribute release policies and privacy concerns
Related Issues
5