Versions Compared

Old Version 17

changes.mady.by.user IAM David Bantz

Saved on

compared with

New Version 18

changes.mady.by.user IAM David Bantz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a summary of the origins, issues, and SP best practices associated with the eduPersonTargetedID attribute.

Table of Contents

Background

Liberty

While extending SAML, the Liberty Alliance developed a concept they called "federated" identifiers. In their terms, federating a user is accomplished by creating an opaque identifier for the user that is specific to both an IdP and an SP, and is shared only between them. This was termed a "federation handle" and was designed to preserve privacy and prevent correlation of user activity across unrelated services.

...

This is the usually recommended approach to passing an eduPersonTargetedID to SAML 2.0 SPs, including Shibboleth 2.x. Instead of using a SAML attribute, the information is passed in the subject of the assertion:

Code Block
xml
xml

<saml2:Subject>
  <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    NameQualifier="https://idp.example.org/idp/shibboleth"
    SPNameQualifier="https://sp.example.org/shibboleth">
  84e411ea-7daa-4a57-bbf6-b5cc52981b73
  </saml2:NameID>
</saml2:Subject>

...

As an alternative, it's possible to embed the same syntax above inside a SAML attribute with the formal name "urn:oid:1.3.6.1.4.1.5923.1.1.1.10". The main reason for doing this would be to preserve the ability to pass a different kind of identifier in the assertion subject. One use case for this is to support the use of computed/non-reversible values for the "targeted" ID, but use transient, reversible values in the subject to support attribute queries or logout.

Code Block
xml
xml

<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
    FriendlyName="eduPersonTargetedID">
  <saml2:AttributeValue>
    <saml2:NameID
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
        NameQualifier="https://idp.example.org/idp/shibboleth"
        SPNameQualifier="https://sp.example.org/shibboleth">
      84e411ea-7daa-4a57-bbf6-b5cc52981b73
    </saml2:NameID>
  </saml2:AttributeValue>
</saml2:Attribute>
Tip
titleShibboleth-Specific Tip

See the IdPAddAttribute topic for information on producing this result. The main requirement is to attach an "AttributeEncoder" of type SAML2XMLObjectAttributeEncoder to the source attribute; i.e., <resolver:AttributeEncoder xsi:type="SAML2XMLObject"... />.

SAML 1.1 Attribute

This is the recommended approach to passing an eduPersonTargetedID to SAML 1.1 SPs, including Shibboleth 1.3.x. It is very similar to the attribute-based syntax above and uses the same formal name.

Code Block
xml
xml

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
    AttributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.10">
  <saml:AttributeValue>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
        NameQualifier="https://idp.example.org/idp/shibboleth"
        SPNameQualifier="https://sp.example.org/shibboleth">
      84e411ea-7daa-4a57-bbf6-b5cc52981b73
    </saml2:NameID>
  </saml:AttributeValue>
</saml:Attribute>

...

Finally, the original "botched" syntax is below. Unfortunately, this is probably by far the most common approach one will see today. It is however incorrect.

Code Block
xml
xml

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
    AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID">
  <saml:AttributeValue Scope="https://idp.example.org/idp/shibboleth">84e411ea-7daa-4a57-bbf6-b5cc52981b73</saml:AttributeValue>
</saml:Attribute>

...

The three proper forms that rely on a SAML 2.0 NameID element are by default (in the attribute-map) interchangeably handled and reflected to applications as an SP attribute called "persistent-id". By default, the attribute is expressed by concatenating the three pieces of data together with a bang (!) symbol as follows (using the example data above).

Code Block

https://idp.example.org/idp/shibboleth!https://sp.example.org/shibboleth!84e411ea-7daa-4a57-bbf6-b5cc52981b73

...

The broken form by default is mapped to an SP attribute called "targeted-id" (to help delineate it from the proper form) and is expressed as a "scoped" string with the following @-delimited form:

Code Block

84e411ea-7daa-4a57-bbf6-b5cc52981b73@example.org

...

The proper form was handled by concatenating the three pieces of data together with a bang (!) symbol as follows (using the example data above). This was a hard-coded approach that can't easily be altered without plugging in additional code or altering the source code while building it.

Code Block

https://idp.example.org/idp/shibboleth!https://sp.example.org/shibboleth!84e411ea-7daa-4a57-bbf6-b5cc52981b73

The broken form was handled by treating the attribute as "scoped", resulting in the following @-delimited form:

Code Block

84e411ea-7daa-4a57-bbf6-b5cc52981b73@example.org

...