Versions Compared

Old Version 17

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 18

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Table of Contents

Overview

The ComputedId DataConnector generates a single-valued IdPAttribute from the (usually SHA-1) digest of a requester's name (in SAML, an entityID), a source attribute value, and a salt that must be kept secret to prevent off-line generation of the hashes to recover the underlying attribute value.

The attribute value is therefore opaque and unique per user, per relying party, suitable for use as a SAML "persistent" NameID or "pairwise-id" Subject Attribute.

In advanced scenarios, the input to the hash can vary from the requester's identity to a different value that may be associated with the requester, allowing for multiple requesters to receive the same value. This is all "internal" to the system and is not part of the configuration of the connector, it simply does the right thing in these cases.

Reference

Localtabgroup
Localtab live
titleSpecific XML Attributes

Name

Type

Req?

Default

Description

generatedAttributeID

string     


ID of the connector

The id of the IdPAttribute that is produced

salt OR encodedSalt

string

Y


A salt, of at least 16 bytes, used in the computation. Must be directly provided or in a base64-encoded form, but one must be set. The encoded option allows for binary characters, whitespace, or other difficult to capture content in the salt.

encoding

string


BASE64

Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)

algorithm

string


SHA

Controls the digest algorithm applied

exceptionMapRef

Bean ID



References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic.

Localtab live
titleCommon XML Attributes
Include Page
DataConnectorCommonAttributes
DataConnectorCommonAttributes
Localtab live
titleCommon XML Elements
Include Page
DataConnectorCommonChildElements
DataConnectorCommonChildElements

Example

The example produces a hashed value using an input attribute "Foo" from a DataConnector named "DataSourceForFoo".

Code Block
languagexml
<DataConnector id="ComputedIDConnector" xsi:type="ComputedId" 
	generatedAttributeID="ComputedID"
	salt="abcdefghijklmnopqrstuvwxyz"
	encoding="BASE32">

	<InputDataConnector ref="DataSourceForFoo" attributeNames="Foo" />

</DataConnector>