Crypto Transient ID Attribute Definition

Available in version 2IdP 2.3 and later, this attribute definition produces a cryptographically verifiable opaque identifier that can later be mapped back to the user by a CryptoTransient principal connector. Using cryptographic transient identifiers allows multiple IdP nodes that share a symmetric key to produce and consume identifiers without sharing state. This is part of a stateless clustering solution.

...

A crypto transient ID attribute definition starts with the same <resolver:AttributeDefinition> element as all other attribute definitions and has a type attribute of xsi:type="ad:CryptoTransientId". Each definition must also have an id attribute that assigns it an unique identifier (i.e., unique among all attribute definitions, identifier ) used to refer to defintion the definition within the rest of the attribute resolver configuration.

It The <resolver:AttributeDefinition> element must also contain a dataSealerRef attribute that identifies a DataSealer Spring-configured bean. It may also contain a lifetime attribute controlling the length of time the identifier will be valid. This time limit is also encrypted into the value.

...