...
- Create a Stored ID data connector. This data connector is responsible for creating the persistent value for the name identifier.
- Create a simple attribute definition that turns the value of the stored ID in to an attribute.
- Attach SAML 1 Name Identifier and SAML 2 NameID attribute encoder to the attribute.
| Code Block | |||||||
|---|---|---|---|---|---|---|---|
| |||||||
<resolver:AttributeDefinition id="persistentId" xsi:type="Simple"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="storedId">
<resolver:Dependency ref="StoredId"/>
<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>
<resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="StoredId"
sourceAttributeID="uid"
salt="kd89lkalkcv2f09fjs3v981298fkfjkgri">
<resolver:Dependency ref="ldap" />
<!-- database connection settings go here -->
</resolver:DataConnector>
|
...
Finally, define an attribute filter policy that releases the persistent ID to the intended relying parties. Since persistent IDs are opaque, and thus not personally identifiable, they are safe to release to anyone. Therefore the following attribute filter policy is suggested but others may be used at the deployer's discretion.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<AttributeFilterPolicy id="releasePersistentIdToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="persistentId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
|
...