The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute, which contains a SAML <NameID> element in its values, and to generate SAML 2.0 "persistent" NameID values. The attribute use case is itself generally deprecated because SAML 1 itself is a legacy standard and because the use of the attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported for use with the new SAML SubjectID specification's "pairwise-id" replacement for all these legacy approaches.

That said, we strongly suggest considering use of the ComputedIdConnector in most cases as less troublesome. When you inevitably find that the database approach lacks reliability, there won't be a lot you can do about it.

The StoredId data connector generates an attribute whose value is persistent, opaque, and unique per user, per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedIdConnector, but at the additional cost of a read/write data store that must be highly available.

The source attribute value and relying party are looked up in a table (named shibpid by default), and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedIdConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.

Database Configuration

The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that mechanism and this deprecated mechanism by defining the data source globally and referencing it via the <BeanManagedConnection> element.

Configuration Reference

Attributes

Any of the common attributes can be specified. In addition the following attributes are supported:

NameTypeDefaultDescription

generatedAttributeID   

stringID of the connectorID of the IdPAttribute generated

salt

string
Salt, of at least 16 bytes, used in computing initial values

encoding

stringBASE64Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)

queryTimeout

XML Duration or a number of milliseconds

PT5STimeout for the queries made against the database

transactionRetries

integer3Number of retries if insertion fails due to database transaction bugs
tableName 4.1stringshibpidOverrides name of database table to use

failFastInitialize

booleanfalseWhether a failure when verifying the database's availability and primary key during startup is fatal (stops the Attribute filter service from starting)

retryableErrors

space-delimited list of strings23000 23505SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs

springResource

resource

Deprecated, use the <BeanManagedConnection> element instead

exceptionMapRefBean ID
References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic.

Child Elements

Any of the common child elements can be specified. In addition, one of the following may be provided if the deprecated springResource attribute is not provided.

NameCardinalityDescription

<ContainerManagedConnection>


0 or 1 (all elements)

Connects to a database via a JNDI resource defined in the container

<SimpleManagedConnection>

Connects to a database via a JDBC data source configured explicitly

<BeanManagedConnection>

Connects to a database via an externally specified DataSource

Example

<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="ComputedID" sourceAttributeID="email">
   <BeanManagedConnection>TheDataConnectorId</BeanManagedConnection>
</DataConnector>
  • No labels