...
OAuth 2.0 Dynamic Client Registration protocol: https://tools.ietf.org/html/rfc7591
OIDC Dynamic Client Registration: https://openid.net/specs/openid-connect-registration-1_0.html
OIDC session management spec: https://openid.net/specs/openid-connect-session-1_0.html
OIDC federation spec (draft): https://openid.net/specs/openid-connect-federation-1_0.html
OIDC Front-Channel logout 1.0 spec: https://openid.net/specs/openid-connect-frontchannel-1_0.html
OIDC Back-Channel logout 1.0 spec: https://openid.net/specs/openid-connect-backchannel-1_0.html
XML namespaces:
default (no prefix):
urn:oasis:names:tc:SAML:2.0:metadata
saml:
urn:oasis:names:tc:SAML:2.0:assertion
mdui:
urn:oasis:names:tc:SAML:metadata:ui
ds:
http://www.w3.org/2000/09/xmldsig#
oidcmd:
urn:mace:shibboleth:metadata:oidc:1.0
...
JSON claim | SAML metadata location | Notes |
---|---|---|
client_id | EntityDescriptor/@entityID | |
client_secret | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecret EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecretKeyReference | Only one value per entity |
redirect_uri | EntityDescriptor/SPSSODescriptor/AssertionConsumerService | Binding:
|
token_endpoint_auth_method application_type client_uri software_id software_version sector_identifier_uri id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc request_object_signing_alg request_object_encryption_alg request_object_encryption_enc token_endpoint_auth_signing_alg default_max_age require_auth_time initiate_login_uri Like-frontchannel_logout_session_required v2.2 backchannel_logout_session_required v2.2 | Like-named XML Attributes defined on: EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions | These are single-valued claims that map directly into XML Attributes in a metadata extension element. |
grant_types response_types scopes | Like-named XML Attributes defined on: EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions | These are multiple-valued claims that map directly into XML Attributes in a metadata extension element. Multiple values are supplied using a space-delimited list. NOTE: Since OP 3.2, use '+' sign to supply a response type value containing a space. For instance, the value "code code+id_token+token" in XML is translated into two OIDC response types: "code" and "code id_token token". |
client_name | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:DisplayName | |
logo_uri | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:Logo | |
contacts | EntityDescriptor/ContactPerson/EmailAddress | |
organization_name | EntityDescriptor/Organization/OrganizationName | |
tos_uri | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:InformationURL | |
policy_uri | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:PrivacyStatementURL | |
jwks_uri | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwksUri | |
jwks | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwksData | The value is Base64-encoded JSON string |
subject_type | EntityDescriptor/SPSSODescriptor/NameIDFormat | One of: |
default_acr_values | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:default_acr_value | Each value is defined in an extension element. |
request_uris | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:request_uri | Each value is defined in an extension element. |
post_logout_redirect_uris | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:post_logout_redirect_uri | Each value is defined in an extension element. |
audience 1 | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/saml:Audience | Each value is defined in an extension element (the element itself is a standard SAML element imported from the Assertion schema). |
frontchannel_logout_uri v2.2 | EntityDescriptor/SPSSODescriptor/SingleLogoutService | Binding:
|
backchannel_logout_uri v2.2 | EntityDescriptor/SPSSODescriptor/SingleLogoutService | Binding:
|
1 The “audience” claim is not drawn from any standard, but an extension supported by Shibboleth to control/validate the “resource” parameter used in various OAuth protocol extensions, particularly in the client_credentials grant flow.
v2.2 The support was added in net.shibboleth.oidc.common
v2.2.0