Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Need to add the new SAML pairwise and subject ids to attribute-resolver-full.xml

Description

We've added the support to SP3.0, we now need the inverse in attribute-resolver-full (at least for the encoding bit).

I know that is looking at this right now so if he shares what he uses we can iterate to something useful to us all.

link to spec

Environment

None

Activity

Scott CantorSeptember 21, 2018 at 3:43 AM

If it isn't, you have a broken pairwise ID also. Anything useful as a seed for the hash should at least be a potentially viable candidate. There's no default that can be necessarily "right", this is just a sensible example that will often work without much, possibly any, editing.

Takeshi NishimuraSeptember 21, 2018 at 3:28 AM

Is it a valid assumption that %{idp.persistentId.sourceAttribute}, e.g. uid, is opaque?

<AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/> <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" /> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" /> </AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="samlSubjectID" scope="%{idp.scope}"> <InputDataConnector ref="myLDAP" attributeNames="%{idp.persistentId.sourceAttribute}"/> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subject-id" encodeType="false" /> </AttributeDefinition>

Scott CantorSeptember 20, 2018 at 2:54 PM

I don't see any real workaround, so I renamed them samlSubjectID and samlPairwiseID. I prefer ID to Id, and the mixed case is less common across the older options.

peterSeptember 20, 2018 at 1:03 PM

FWIW, I've meanwhile locally documented the approach with 2 definitions, which works fine and keeps the new names for consistency. (In fact I contributed a somewhat similar example to the shib wiki in the past.)

As you said we can always do something simpler/cleaner for 4.0.

Scott CantorSeptember 20, 2018 at 12:53 PM

Reopening for research.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Created June 27, 2018 at 2:24 PM
Updated October 10, 2018 at 3:12 PM
Resolved September 20, 2018 at 2:54 PM