Versions Compared

Old Version 15

changes.mady.by.user Chris Reeves

Saved on

compared with

New Version 16

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

It's recently come to light that at least someĀ (perhaps many, or even most) applications do not support case-sensitive handling of identifiers. This SAML format is explicitly defined to be case-sensitive, but it is much, much wiser not to expect that. As a result, all current versions of the software generate identifiers that would not be wise to use in practice, so if you're not already supporting identifiers produced by it, you would be wise to either wait on thatfor the next update, or to incorporate a different strategy to generate the values that relies on Base32 encoding, which is designed to support case-insensitive applications. This capability will be built-in to the next version of the software and enabled by default for new deployments.

...

  • idp.persistentId.sourceAttribute
    • A list of attributes from which to derive a "source" key for the subject. The key is used as the hash input, and should be a very stable value for each subject and must never be reassigned later to a different subject. This should be a permanent serial number associated by an IDMS to each account, and not a name-based identifier like a login ID or email address. It should also be technology-neutral; using a GUID generated by an Active Directory is a very bad choice that will lead to problems if you ever change directories.
  • idp.persistentId.salt
    • A secret string used as a salt when hashing the subject key derived from the property above. This is required to prevent trivial attacks to determine the identifier for a given subject, and must be kept secret. Note that leading or trailing whitespace is not trimmed from the property, though using whitespace in the salt is not advisable.
  • idp.persistentId.encodedSalt 3.3
    • If your salt value contains special characters that Spring won't accept safely, you can work around this by base64-encoding the salt you want to use, and specifying the encoded version in this property instead of the previous property. Do not set both.
  • idp.persistentId.encoding 3.43.2
    • Controls the encoding of the generated hash value. Defaults to BASE64 if not set, but new installations will set this property to BASE32 to produce values without mixed case.

...