Note |
---|
This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute, which contains a SAML The connector remains supported to facilitate future compliance with emerging profiles for SAML subject identification the Shibboleth community hopes will replace the older options. |
...
Overview
The ComputedId
data connector generates an attribute from the (usually SHA-1 hash ) digest of the requesting entity's IDentityID, an attribute value, and a salt that must be kept secret to prevent off-line generation of the hashes to recover the underlying attribute value.
The attribute value is therefore opaque and unique per user, per relying party, suitable for use as a SAML "persistent" NameID or "pairwise-id" Subject Attribute.
Reference
Schema Name and Location
This xsi:type
is defined by the urn:mace:shibboleth:2.0:resolver
schema 3.3, located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd.
Prior to V3.3 supplied plugins were defined by a schema type (xsi:type) in the urn:mace:shibboleth:2.0:resolver:dc
namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd. This is still supported, but every element or type in the urn:mace:shibboleth:2.0:resolver:dc
namespace has an equivalently named (but not necessarily identical) version in the urn:mace:shibboleth:2.0:resolver
namespace. The use of the urn:mace:shibboleth:2.0:resolver
namespace also allows a relaxation of the ordering requirements of child elements to reduce strictness.
...
Name | Type | Default | Description |
---|---|---|---|
generatedAttributeID | string | ID of the connector | The id of the IdPAttribute that is generated |
sourceAttributeID | string, required | The id of the IdPAttribute used as input to the computed ID. | |
salt | string. required | A salt, of at least 16 bytes, used in the computed ID | |
| string | BASE64 | Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration) |
algorithm 3.4 | string | SHA | Controls the digest algorithm applied |
Anchor | ||||
---|---|---|---|---|
|
Note | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
Prior to release 3.3 the parser mishandled the provided salt and stripped trailing and leading spaces from it, see case IDP-982. This rendered the values incompatible with those used in V2. Until 3.3 is release, a A workaround is to indirect through a property: for instance: Attribute-resolver.xml:
idp.properties
|
...
Any of the common child elements can be specified.
Examples
TODO: update this example with the new Dependency syntax.
Code Block | ||
---|---|---|
| ||
<DataConnector id="ComputedIDConnector" xsi:type="ComputedId" sourceAttributeID="Foo" generatedAttributeID="ComputedID" salt="abcdefghijklmnopqrstuvwxyz" encoding="BASE32"> <Dependency ref="AttributeSourceForFoo"/> </DataConnector> |