An Entity, Identity, and Associate Attributes
An entity, e.g., an individual (person), organization, device, or process, is anyone or anything that has an identity, which is “the set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.” (NIST SP 800-161)
SAML Assertion and OIDC Claim
The term, assertion, is used in SAML, while “claim” is used in OIDC. A SAML assertion carries three types of statements: authentication, attribute, and authorization. An OIDC claim can be treated as a single attribute statement about a subject; a set of user attributes (or claims) is collectively called a scope.
- An assertion is the “sentence or proposition in logic which is asserted (or assumed) to be true.” (ISO/TS 21526:2019)
- A claim is an “assertion of identity.” (ISO/IEC 24745:2011)
An asserting party is a system entity that makes SAML assertions that carry authentication, attribute, and authorization statements. A relying party is a system entity that uses assertions it has received.
For example, a SAML assertion may carry statements about a subject as follows:
- The subject is named “Wentz Wu.”
- The subject has an email address of firstname.lastname@example.org.
- The subject is a member of the “engineering” group.
- An OIDC claim can be treated as a statement in the SAML assertion.
- An OIDC scope can be viewed as a SAML assertion.