How OpenID Connect Claims Map to other Specifications
This is a non-normative paper that lists the attributes/claims used in Swedish eID-systems, and states how they map to OpenID Connect claims (defined in our specification or elsewhere).
1. Sweden Connect SAML Specifications
The following table defines a mapping from the SAML attribute names defined in "Attribute Specification for the Swedish eID Framework", [SC.AttrSpec], to their corresponding attribute/claim.
| Description | SAML attribute name and abbreviation |
Claim | Defined in | Comment |
|---|---|---|---|---|
| Surname | urn:oid:2.5.4.4 (sn) | family_name |
[OpenID.Core] | |
| Given name | urn:oid:2.5.4.42 (givenName) | given_name |
[OpenID.Core] | |
| Display (full) name | urn:oid:2.16.840.1. 113730.3.1.241 (displayName) |
name |
[OpenID.Core] | |
| Gender | urn:oid:1.3.6.1.5.5.7.9.3 (gender) | gender |
[OpenID.Core] | [OpenID.Core] defines possible values to be female and male. [SC.AttrSpec] defines the possible values to be M/m, F/f and U/u (for unspecified). |
| Swedish Personal Number | urn:oid:1.2.752.29.4.13 (personalIdentityNumber) | https://id.oidc.se/claim/personalIdentityNumber |
[OIDC.Sweden] | [SC.AttrSpec] also uses the same attribute for a Swedish coordination number. [OIDC.Sweden] defines this claim to be https://id.oidc.se/claim/coordinationNumber. |
| previousPersonal- IdentityNumber |
urn:oid:1.2.752.201.3.15 (previousPersonalIdentityNumber) |
https://id.oidc.se/claim/previousCoordinationNumber |
[OIDC.Sweden] | The OIDC-profile only handles coordination numbers. |
| Date of birth | urn:oid:1.3.6.1.5.5.7.9.1 (dateOfBirth) | birthdate |
[OpenID.Core] | The format (YYYY-MM-DD) is the same for both the dateOfBirth SAML-attribute and the birthdate claim. |
| Name at the time of birth | urn:oid:1.2.752.201.3.8 (birthName) | birth_family_namebirth_given_namebirth_middle_name |
[OIDC.IA] | |
| Street address | urn:oid:2.5.4.9 (street) | address.street_address |
[OpenID.Core] | Field of the address claim. |
| Post office box | urn:oid:2.5.4.18 (postOfficeBox) | address.street_address |
[OpenID.Core] | Field of the address claim. The street_address MAY include house number, street name, Post Office Box, and multi-line extended street address information. |
| Postal code | urn:oid:2.5.4.17 (postalCode) | address.postal_code |
[OpenID.Core] | Field of the address claim. |
| Locality | urn:oid:2.5.4.7 (l) | address.locality |
[OpenID.Core] | Field of the address claim. |
| Country | urn:oid:2.5.4.6 (c) | address.country |
[OpenID.Core] | Depends on in which context country is to be represented. |
| Place of birth | urn:oid:1.3.6.1.5.5.7.9.2 (placeOfBirth) | place_of_birth |
[OIDC.IA] | |
| Country of citizenship | urn:oid:1.3.6.1.5.5.7.9.4 (countryOfCitizenship) | - | - | No mapping exists at this moment. |
| Country of Residence | urn:oid:1.3.6.1.5.5.7.9.5 (countryOfResidence) | - | - | No mapping exists at this moment. |
| Telephone number | urn:oid:2.5.4.20 (telephoneNumber) | phone_number |
[OpenID.Core] | See also phone_number_verified. |
| Mobile number | urn:oid:0.9.2342.19200300.100.1.41 (mobile) | phone_numbermsisdn |
[OpenID.Core] [OIDC.IA] |
|
| E-mail address | urn:oid:0.9.2342.19200300.100.1.3 (mail) | email |
[OpenID.Core] | See also email_verified. |
| Organization name | urn:oid:2.5.4.10 (o) | https://id.oidc.se/claim/orgName |
[OIDC.Sweden] | |
| Organizational unit name | urn:oid:2.5.4.11 (ou) | https://id.oidc.se/claim/orgUnit |
[OIDC.Sweden] | |
| Organizational identifier code | urn:oid:2.5.4.97 (organizationIdentifier) | https://id.oidc.se/claim/orgNumber |
[OIDC.Sweden] | |
| Organizational Affiliation | urn:oid:1.2.752.201.3.1 (orgAffiliation) | https://id.oidc.se/claim/orgAffiliation |
[OIDC.Sweden] | |
| Transaction identifier | urn:oid:1.2.752.201.3.2 (transactionIdentifier) | txn |
[RFC8417] | |
| Authentication Context Parameters | urn:oid:1.2.752.201.3.3 (authContextParams) | - | This attribute will not be represented as a claim. However, some of the data that are normally put in this attribute are not claims of their own (credentialValidFrom, ...). | |
| User certificate | urn:oid:1.2.752.201.3.10 (userCertificate) | https://id.oidc.se/claim/userCertificate |
[OIDC.Sweden] | |
| User signature | urn:oid:1.2.752.201.3.11 (userSignature) | https://id.oidc.se/claim/userSignature |
[OIDC.Sweden] | |
| Authentication server signature | urn:oid:1.2.752.201.3.13 (authServerSignature) | https://id.oidc.se/claim/authnEvidence |
[OIDC.Sweden] | |
| Signature activation data | urn:oid:1.2.752.201.3.12 (sad) | - | - | No mapping exists - Will have to be handled in Sweden Connect's OpenID Connect profiles. |
| Sign message digest | urn:oid:1.2.752.201.3.14 (signMessageDigest) | - | - | No mapping exists - Will have to be handled in Sweden Connect's OpenID Connect profiles. |
| Provisional identifier | urn:oid:1.2.752.201.3.4 (prid) | - | - | eIDAS specific - Will have to be handled in Sweden Connect's OpenID Connect profiles. |
| Provisional identifier persistence indicator | urn:oid:1.2.752.201.3.5 (pridPersistence) | - | - | eIDAS specific - Will have to be handled in Sweden Connect's OpenID Connect profiles. |
| Personal number binding URI | urn:oid:1.2.752.201.3.6 (personalIdentityNumberBinding) | - | - | eIDAS specific - Will have to be handled in Sweden Connect's OpenID Connect profiles. |
| eIDAS uniqueness identifier | urn:oid:1.2.752.201.3.7 (eidasPersonIdentifier) | - | - | eIDAS specific - Will have to be handled in Sweden Connect's OpenID Connect profiles. |
| eIDAS Natural Person Address | urn:oid:1.2.752.201.3.9 (eidasNaturalPersonAddress) | address |
[OpenID.Core] | Mapping of the eIDAS CurrentAddress attribute. |
| HSA-ID | urn:oid:1.2.752.29.6.2.1 (employeeHsaId) | - | - | Sector specific attribute. Should be defined elsewhere. |
2. BankID
The following table defines a mapping from the attribute names defined in "BankID Relying Party Guidelines", [BankID.API], to their corresponding attribute/claim.
| Description | BankID attribute | Claim | Defined in | Comment |
|---|---|---|---|---|
| Swedish Personal Number | user.personalNumber |
https://id.oidc.se/claim/personalIdentityNumber |
[OIDC.Sweden] | |
| Display (full) name | user.name |
name |
[OpenID.Core] | |
| Given name | user.givenName |
given_name |
[OpenID.Core] | May be more than one name (separated by blank). |
| Surname | user.surname |
family_name |
[OpenID.Core] | May be more than one name (separated by blank). |
| Device IP-address | device.ipAddress |
https://id.oidc.se/claim/deviceIp |
[OIDC.Sweden] | |
| Certificate notBefore time | cert.notBefore |
https://id.oidc.se/claim/credentialValidFrom |
[OIDC.Sweden] | See also https://id.oidc.se/claim/userSignature. |
| Certificate notAfter time | cert.notAfter |
https://id.oidc.se/claim/credentialValidTo |
[OIDC.Sweden] | See also https://id.oidc.se/claim/userSignature. |
| The BankID signature | signature |
https://id.oidc.se/claim/userSignature |
[OIDC.Sweden] | |
| BankID OCSP response | ocspResponse |
https://id.oidc.se/claim/authnEvidence |
[OIDC.Sweden] |
3. Freja eID
The following table defines a mapping from the attribute names defined in "Freja eID Relying Party Developers' Documentation", [Freja.API], to their corresponding attribute/claim.
| Description | Freja eID attribute | Claim | Defined in | Comment |
|---|---|---|---|---|
| Swedish Personal Number | ssnuserinfo.ssn |
https://id.oidc.se/claim/personalIdentityNumberor https://id.oidc.se/claim/coordinationNumber |
[OIDC.Sweden] | Freja's way of delivering SSN attribute included information about the country (ssnuserinfo.country=SE). |
| Given name | basicUserInfo.name |
given_name |
[OpenID.Core] | TODO: Does Freja's basicUserInfo.name mean given name of full name? |
| Surname | basicUserInfo.surname |
family_name |
[OpenID.Core] | May be more than one name (separated by blank). |
| E-mail address (primary) | emailAddress |
email |
[OpenID.Core] | See also email_verified. |
| All e-mail addresses | allEmailAddresses |
TBD | - | TBD |
| Date of birth | dateOfBirth |
birthdate |
[OpenID.Core] | The format (YYY-MM-DD) is the same for both the dateOfBirth attribute and the birthdate claim. |
| Country | addresses[0].country |
address.country |
[OpenID.Core] | Field of the address claim. |
| City | addresses[0].city |
address.locality |
[OpenID.Core] | Field of the address claim. |
| Postal code | addresses[0].postCode |
address.postal_code |
[OpenID.Core] | Field of the address claim. |
| Street address(es) | addresses[0].address1addresses[0].address2addresses[0].address3 |
address.street_address |
[OpenID.Core] | Field of the address claim. The address.street_address MAY contain multiple lines, separated by newlines. |
| Address valid from | addresses[0].validFrom |
TBD | - | TBD |
| Type of address | addresses[0].type |
TDB | - | TBD |
| Source of address information | addresses[0].sourceType |
TBD | - | TBD |
4. References
Claims and Scopes Specification for the Swedish OpenID Connect Profile.
P. Hunt, M. Jones, W. Denniss, M. Ansari, "Security Event Token (SET)", July 2018.
Attribute Specification for the Swedish eID Framework - Version 1.6, 2020-01-17.