An Entity, Identity, and Associate Attributes

An entity, e.g., an individual (person), organization, device, or process, is anyone or anything that has an identity, which is “the set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.” (NIST SP 800-161)

SAML Assertion and OIDC Claim

The term, assertion, is used in SAML, while “claim” is used in OIDC. A SAML assertion carries three types of statements: authentication, attribute, and authorization. An OIDC claim can be treated as a single attribute statement about a subject; a set of user attributes (or claims) is collectively called a scope.

• An assertion is the “sentence or proposition in logic which is asserted (or assumed) to be true.” (ISO/TS 21526:2019)
• A claim is an “assertion of identity.” (ISO/IEC 24745:2011)

SAML Assertions

An asserting party is a system entity that makes SAML assertions that carry authentication, attribute, and authorization statements. A relying party is a system entity that uses assertions it has received.

For example, a SAML assertion may carry statements about a subject as follows:

• The subject is named “Wentz Wu.”
• The subject has an email address of wentzwu@gmail.com.
• The subject is a member of the “engineering” group.

OIDC Claims

• An OIDC claim can be treated as a statement in the SAML assertion.
• An OIDC scope can be viewed as a SAML assertion.

Reference

• OpenID Connect Scopes
• Key Concepts: Scopes, Claims, and Response Types
• Security Assertion Markup Language
• The Beer Drinker’s Guide to SAM
• OpenID Connect Scopes
• OpenID Connect Core 1.0 incorporating errata set 1
• OpenID Connect Support