Versions Compared

Old Version 4

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 5

changes.mady.by.user Matthew Slowe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

The Attribute Definitions in this example use the SAML2NameID type which has been deprecated since V3 and will go away in V5.

Table of Contents

There are many reasons why you may be using the StoredIdConnector but may also wish to move away from it.

In moving away to a purely ComputedIdConnector you risk losing the existing persistent IDs that your users may be relying on to get access to resources.

Configuration changes

It’s possible to configure the IdP to:

  1. Check the existing StoredID database for a value and return it if present

  2. If a value is not present, request one from the ComputedID generator instead

An approximation in pseudo-code:

...

Code Block
languagexml
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
    nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
    <InputDataConnector ref="sqlite-db" attributeNames="persistentId"/>
    
    <AttributeEncoder xsi:type="SAML2XMLObject"
            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</AttributeDefinition>

Reviewing existing data for mismatches

It’s possible to get the RDBMS to evaluate all your existing records and report which are wrong (in that if they were regenerated now the persistentId would be different).

This process is specifically for MySQL but the general principle should port to other database engines (the function calls may be different!). I’ve also assumed that you’re using BASE64 and SHA1 so you may need to tweak the query for your specific circumstances.

Create a temporary table with salt

In creating a TEMPORARY table, the data stays in memory only, doesn’t persist outside of the session you’re using and isn’t written to transaction logs.

Code Block
languagesql
CREATE TEMPORARY TABLE salt (
	id integer primary key not null,
	salt varchar(1024)
);

INSERT INTO salt VALUES (0, 'EXISTING SALT VALUE');

Compare the data

This query recalculates the persistentId for all existing records in the database and compares that with the one already in the database and only reports mismatches:

Code Block
languagesql
SELECT * FROM (
    SELECT
        c.localEntity,
        c.peerEntity,
        c.persistentId,
        c.principalName,
        c.localId,
        c.creationDate,
        TO_BASE64(
            UNHEX(
                SHA1(
                    CONCAT( c.peerEntity, '!', c.localId, '!', s.salt )
                )
            )
        ) as computedId
    FROM shibpid c
        JOIN salt s WHERE s.id=0
) generate_pids 
WHERE persistentId <> computedId;