User mapping in OpenID Connect Relying Party

Question

In this scenario my Relying Party (RP) not only wants to get information about a user but also needs to map a user to an internal user of the RP. Because of this I would like to map existing users of the Identity Provider (IdP) to users/groups in the RP. How can I achieve this with OpenID Connect (IdP and RP have a trust relationship; both are controlled by me)?

What are other options to solve this issue?

Answer 1

There are two approaches I see here; one from the OpenID Connect point of view, and the other from user directory handling.

Id token claims

OpenID Connect specification defines standard claims in an id token, and gives the freedom to define claims of our own. For example, if the RP cannot depend on sub claim to identify and map the end user, one can introduce a custom claim other than standard claims available.

ID Tokens MAY contain other Claims. Any Claims used that are not understood MUST be ignored

For example, you can define a claim rp_identifierin id token which gives you the RP user id.

This will require some configuration to your IDP and also storing required identifier in IDP storage.

Directory synchronization

Not sure how your user directories are set up. But if you are using an external IDP, you may want to synchronize your internal and external user directories. I am not an expert in this domain, but for your reference this article explains about Azure active directory synchronization.

Although the user synchronization is out of scope of OpenID Connect, many who are moving to OpenID Connect at some point have to map internal users to users in IDP provide.