Simplify OIDC claims configuration
Summary
In order to successfully transmit a simple claim (email, login, full name) to an OIDC application, an LLNG admin must:
- Be aware that OIDC claims have standard names (
email
,preferred_username
,name
) - Map those standard names to LLNG variables in "Exported Attributes"
- Be aware that standard OIDC claims are released through standard scopes (profile, address...)
- Configure the client application to request those standard scopes
If they try to transmit a claim without using a standard name, or transmit a non-standard claim (groups, or any kind of custom attribute), they must:
- Map those non standard claims to LLNG variables in "Exported Attributes"
- Be aware that LLNG will only release claims declared in a scope UNLESS they are standard claims
- Create a scope value to encompass some, or all, of those claims in "Scope values content"
- Configure their application to request the new scope values, or use a scope rule to force it
This is VERY complicated to say the least, it trips many (if not all) or our users. They end up doing weird configurations in "Scope values content" such as one scope per attribute, or overriding the profile
scope with new attributes, if they can make it work at all.
Our SAML configuration is MUCH simpler:
- Declare SAML attribute in "Exported attributes"
- That's all, the attribute will be sent to the application
Design proposition
We need to simplify this.
My proposal:
- Declare OIDC claims in "Exported attributes"
- That's all, the claim will be sent to the application
For people who want to do complicated things
Some people might want to handle scopes, so we can still leave the "Scope value content" configuration in the product, but hide it in a sub-menu, and add a new option that keeps the old behavior, named "Only release claims if allowed by a scope" (enabled on existing installs, disabled on new installs).
Discuss
Any objections ?