...
Warning |
---|
The Attribute Definitions in this example use the |
Table of Contents |
---|
There are many reasons why you may be using the StoredIdConnector but may also wish to move away from it.
In moving away to a purely ComputedIdConnector you risk losing the existing persistent IDs that your users may be relying on to get access to resources.
Configuration changes
It’s possible to configure the IdP to:
Check the existing StoredID database for a value and return it if present
If a value is not present, request one from the ComputedID generator instead
An approximation in pseudo-code:
...
Code Block | ||
---|---|---|
| ||
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> <InputDataConnector ref="sqlite-db" attributeNames="persistentId"/> <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" /> </AttributeDefinition> |
Reviewing existing data for mismatches
It’s possible to get the RDBMS to evaluate all your existing records and report which are wrong (in that if they were regenerated now the persistentId
would be different).
This process is specifically for MySQL but the general principle should port to other database engines (the function calls may be different!). I’ve also assumed that you’re using BASE64
and SHA1
so you may need to tweak the query for your specific circumstances.
Create a temporary table with salt
In creating a TEMPORARY
table, the data stays in memory only, doesn’t persist outside of the session you’re using and isn’t written to transaction logs.
Code Block | ||
---|---|---|
| ||
CREATE TEMPORARY TABLE salt (
id integer primary key not null,
salt varchar(1024)
);
INSERT INTO salt VALUES (0, 'EXISTING SALT VALUE'); |
Compare the data
This query recalculates the persistentId
for all existing records in the database and compares that with the one already in the database and only reports mismatches:
Code Block | ||
---|---|---|
| ||
SELECT * FROM (
SELECT
c.localEntity,
c.peerEntity,
c.persistentId,
c.principalName,
c.localId,
c.creationDate,
TO_BASE64(
UNHEX(
SHA1(
CONCAT( c.peerEntity, '!', c.localId, '!', s.salt )
)
)
) as computedId
FROM shibpid c
JOIN salt s WHERE s.id=0
) generate_pids
WHERE persistentId <> computedId; |