Versions Compared

Old Version 10

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 11

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute, which contains a SAML <NameID> element in its values, and to generate SAML 2.0 "persistent" NameID values. The attribute use case is itself generally deprecated because SAML 1 itself is a legacy standard and because the use of the attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported to facilitate future compliance with emerging profiles for SAML subject identification the Shibboleth community hopes will replace the older options.

...

Overview

The ComputedId data connector generates an attribute from the (usually SHA-1 hash ) digest of the requesting entity's IDentityID, an attribute value, and a salt that must be kept secret to prevent off-line generation of the hashes to recover the underlying attribute value.

The attribute value is therefore opaque and unique per user, per relying party, suitable for use as a SAML "persistent" NameID or "pairwise-id" Subject Attribute.

Reference

Schema Name and Location

This xsi:type is defined by the urn:mace:shibboleth:2.0:resolver schema 3.3, located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd.

Prior to V3.3 supplied plugins were defined by a schema type (xsi:type) in the urn:mace:shibboleth:2.0:resolver:dc namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd. This is still supported, but every element or type in the  urn:mace:shibboleth:2.0:resolver:dc namespace has an equivalently named (but not necessarily identical) version in the urn:mace:shibboleth:2.0:resolver namespace. The use of the urn:mace:shibboleth:2.0:resolver namespace also allows a relaxation of the ordering requirements of child elements to reduce strictness.

...

NameTypeDefaultDescription
generatedAttributeID
stringID of the connectorThe id of the IdPAttribute that is generated
sourceAttributeIDstring, required
The id of the IdPAttribute used as input to the computed ID.
saltstring. required
A salt, of at least 16 bytes, used in the computed ID

encoding 3.3.2

stringBASE64Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)
algorithm 3.4stringSHAControls the digest algorithm applied

Anchor
SaltBug
SaltBug

Note
titleConfiguring salt prior to V3.3

Prior to release 3.3 the parser mishandled the provided salt and stripped trailing and leading spaces from it, see case IDP-982. This rendered the values incompatible with those used in V2.

Until 3.3 is release, a A workaround is to indirect through a property: for instance:

Attribute-resolver.xml:

Code Block
xml
xml
<DataConnector id="computed" xsi:type="ComputedId" 
	sourceAttributeID="theSourceRemainsTheSame"
	generatedAttributeID="jennyFoo"
	salt="%{idp.ComputedIDDataConnectorpersistentId.salt}"/>

idp.properties

Code Block
idp.ComputedIDDataConnectorpersistentId.salt = String with Spaces before and after

...

Any of the common child elements can be specified.

Examples

TODO: update this example with the new Dependency syntax.

Code Block
languagexml
<DataConnector id="ComputedIDConnector" xsi:type="ComputedId" 
    sourceAttributeID="Foo"
	generatedAttributeID="ComputedID"
	salt="abcdefghijklmnopqrstuvwxyz"
	encoding="BASE32">

	<Dependency ref="AttributeSourceForFoo"/>

</DataConnector>