Overview
This page gives some examples of how attributes which are asserted by social identity providers (via both OAuth and OpenID) could be mapped to MACE-Dir/SAML attributes.
Examples
Caution
In most cases, it still needs to be verified whether the value for eduPersonTargetedID
is unique for a given person and service.
Facebook Mappings
Facebook supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
Facebook Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
Lucas Rockwell |
See |
|
|
Lucas Rockwell |
Duplicate of |
|
|
lr@lucasrockwell.com |
|
|
|
lucasrockwell |
Can be blank, and a user can change this once for the lifetime of their account. |
|
|
lucasrockwell@facebook.com |
|
|
|
*http://facebook.com!12...71* |
|
Google Mappings
Google supports two standard SSO protocols: OpenID 2.0 and OpenID Connect. The latter is an emerging IETF standard profile of OAuth2.
OpenID 2.0
eduPerson Attribute |
Google Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
|
Google does not provide |
|
|
|
Google does not provide |
|
|
lucasrockwell@gmail.com |
|
|
|
|
Google does not provide |
|
|
lucasrockwell@gmail.com |
Using http://axschema.org/contact/email for |
|
Private Personal Identifier (PPID) |
** |
An opaque, per-SP identifier, just like ePTID |
OpenID Connect
eduPerson Attribute |
Google Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LinkedIn Mappings
LinkedIn supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
LinkedIn Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
|
LinkedIn does not provide |
|
|
|
LinkedIn does not provide |
|
|
|
LinkedIn does not provide |
|
|
Y...r |
|
|
|
Y...r@linkedin.com |
Local part is the same value as |
|
|
*http://linkedin.com!Y...r* |
Unique value is the same value as |
Twitter Mappings
Twitter supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
Twitter Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
|
Twitter does not provide |
|
|
|
Twitter does not provide |
|
|
Lucas Rockwell |
|
|
|
Lucas Rockwell |
|
|
|
|
Twitter does not provide |
|
|
lucasrockwell |
|
|
|
lucasrockwell@twitter.com |
|
|
|
*http://twitter.com!1...5* |
|
Windows Live Mappings
Windows Live supports a proprietary SSO protocol built on top of OAuth.
eduPerson Attribute |
Windows Live Attribute |
Example Value |
Notes |
---|---|---|---|
|
|
Lucas |
|
|
|
Rockwell |
|
|
|
|
Windows Live does not provide |
|
|
|
Windows Live does not provide |
|
|
lr@lucasrockwell.com |
This is not necessarily an address @hotmail.com. |
|
|
fd...89 |
|
|
|
fd...89@windowslive.com |
Local part is the same value as |
|
|
*http://windowslive.com!fd...89* |
Unique value is the same value as |
Attribute Matrix
The matrix below lists various attributes and which providers supply those attributes. Note: This table is not complete.
Provider |
First Name |
Last Name |
Transient Email* |
Persistent Email |
Human-readable Unique ID |
Machine-readable Unique ID |
SP-specific ID |
---|---|---|---|---|---|---|---|
|
|
|
|
|
(Have not verified this yet.) |
(Have not verified this yet.) |
|
Google OpenID Connect |
|
|
|
|
(Email...) |
(Appears user can only look it up if Google+ is enabled for the account.) |
|
Google OpenID 2.0 |
|
|
|
|
(Email...) |
|
(The OpenID can either be set for the SP realm, or the domain realm, so only SP-specific if you ask Google to do that for you.) |
|
|
|
|
(Only if enabled via the Public Profile Settings page, however, a user can change this at will.) |
|
|
|
|
|
|
|
|
(Have not verified this yet.) |
(Have not verified this yet.) |
|
Windows Live |
|
|
|
|
(Email, but there is more than one, so perhaps not...) |
(Have not verified this yet.) |
(Have not verified this yet.) |
Notes
* Unless the email address ends in the domain of the provider, then the likelihood that the the user can change at their whim is pretty high. This is great if you are using email as email, i.e., you want to actually know the user's email address. On the other hand, this can have very significant impacts on your service if you are trying to use email as the basis for eduPersonPrincipalName.