OIDC: Standard identifier and attributes

Providing attributes to applications follow the principle of "as few as possible, as many as necessary". So, for eIAM standard integrations as a specialist applications (federal office applications), you will get the identifier and attributes described below.

If your specialist application requires a different identifier, or additional attributes not listed here, then please address this and list your needs in the eIAM dossier.

Identifier

In the eIAM standard integration, the JWT (token) that is sent to the application contains the following attribute sub:

Sub content taken from attributeAttribute formatDescription
http://schemas.eiam.admin.ch/ws/2013/12/
identity/claims/e-id/userExtId 		urn:oasis:names:tc:SAML:2.0:
nameid-format:persistent 		The userExtId of the Access Client. This value is unique, unchangeable and is used as part of standard integrations with Access Management.
http://schemas.xmlsoap.org/ws/2005/05/
identity/claims/name 		urn:oasis:names:tc:SAML:2.0:
nameid-format:persistent 		The loginId of the root client. This value is unique, unchangeable and is used in the context of standard integrations without Access Management (Authentication Only).

Identifier and Standard attribute set

For the standard attribute set, the following rules apply:
  • All attributes will come from the root client unless noted otherwise. This ensures that the provided data is in compliance with the reported QoA level of the authentication.
  • All attributes provided are from eIAM are taken from eIAM attributes (originalIssuer="uri:eiam.admin.ch:feds"), no attributes from IdP will be provided.
List of provided attributes in standard attribute set:

Content          ExampleAttribute Name             Comment
Value of Subject NameID 123456789 sub Standard OIDC attribute containing the agreed identifier of the user. For specialist applications this is the userExtId of the user in the access client
Quality of authentication / identity verification urn:eiam.admin.ch:names:
tc:SAML:2.0:ac:
classes:AuthNormal 		acrStandard OIDC attribute, contains the authentication strength and is one of the following:
urn:eiam.admin.ch:names:tc:SAML:2.0:ac:classes:AuthWeak
urn:eiam.admin.ch:names:tc:SAML:2.0:ac:classes:AuthNormal
urn:eiam.admin.ch:names:tc:SAML:2.0:ac:classes:AuthStrong
urn:eiam.admin.ch:names:tc:SAML:2.0:ac:classes:AuthVeryStrong
Display Name Smith John FOITT displayName Private claim name
Must only be used to display the user and must not be interpreted.
In enterprise context this attribute has the format "last name & first name & OE".
In eGov context this attribute has the format "last name & first name".
First name John firstName Standard OIDC attribute. Data is taken from eIAM root client.
Last name Smith lastName Standard OIDC attribute. Data is taken from eIAM root client.
eMail address john.smith@bit.admin.ch email (email2) Standard OIDC attribute. Data is taken from eIAM root client.
Language DE languagePrivate claim name
Roles in current profile of current specialist application * FOPH-emweb.ALLOW
FOPH-embeb.Admin 		role Private claim name
All the roles the user has in the currently selected profile (multi-valued).
If the user has multiple profiles the user has to choose a profile he wants to work with before.
*Not available with the Authenication Only integration pattern.

For a full reference of attributes, please see:

SAML Attributes
This is the SAML reference, but a fitting OIDC name will be assigned accordingly.