Versions Compared

Old Version 8

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

  1. Create a TransientId or CryptoTransientId attribute definition that generates the transient ID value.
  2. Attach SAML 1 Name Identifier and SAML 2 NameID attribute encoder to the attribute.
Code Block
xml
xml
titleTransient Name Identifier Attribute Definitionxml
<resolver:AttributeDefinition id="transientId" xsi:type="TransientId"
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad">

    <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

    <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>

...

Finally, define an attribute filter policy that releases the transient ID to the intended relying parties. Since transient IDs are opaque, and thus not personally identifiable, they are safe to release to anyone. Therefore the following attribute filter policy is suggested but others may be used at the deployer's discretion.

Code Block
xml
xml
titleAttribute Filter Policy Releasing Transient ID to Anyonexml
<AttributeFilterPolicy id="releaseTransientIdToAnyone">

    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>