Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute, which contains a SAML <NameID>
element in its values, and to generate SAML 2.0 "persistent" NameID values. The attribute use case is itself generally deprecated because SAML 1 itself is a legacy standard and because the use of the attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).
The connector remains supported for use with the new SAML SubjectID specification's "pairwise-id" replacement for all these legacy approaches.
That said, we strongly suggest considering use of the ComputedIdConnector in most cases as less troublesome. When you inevitably find that the database approach lacks reliability, there won't be a lot you can do about it.
The StoredId
data connector generates an attribute whose value is persistent, opaque, and unique per user, per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedIdConnector, but at the additional cost of a read/write data store that must be highly available.
The source attribute value and relying party are looked up in a table (named shibpid
by default), and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedIdConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.
Database Configuration
The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that mechanism and this deprecated mechanism by defining the data source globally and referencing it via the <BeanManagedConnection>
element.
Configuration Reference
Attributes
Any of the common attributes can be specified. In addition the following attributes are supported:
Name | Type | Default | Description |
---|---|---|---|
generatedAttributeID | string | ID of the connector | ID of the IdPAttribute generated |
salt | string | Salt, of at least 16 bytes, used in computing initial values | |
encoding | string | BASE64 | Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration) |
queryTimeout | XML Duration or a number of milliseconds | PT5S | Timeout for the queries made against the database |
transactionRetries | integer | 3 | Number of retries if insertion fails due to database transaction bugs |
tableName 4.1 | string | shibpid | Overrides name of database table to use |
failFastInitialize | boolean | false | Whether a failure when verifying the database's availability and primary key during startup is fatal (stops the Attribute filter service from starting) |
retryableErrors | space-delimited list of strings | 23000 23505 | SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs |
springResource | resource | Deprecated, use the <BeanManagedConnection> element instead | |
exceptionMapRef | Bean ID | References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic. |
Child Elements
Any of the common child elements can be specified. In addition, one of the following may be provided if the deprecated springResource
attribute is not provided.
Name | Cardinality | Description |
---|---|---|
0 or 1 (all elements) | Connects to a database via a JNDI resource defined in the container | |
Connects to a database via a JDBC data source configured explicitly | ||
Connects to a database via an externally specified DataSource |
Example
<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="ComputedID" sourceAttributeID="email"> <BeanManagedConnection>TheDataConnectorId</BeanManagedConnection> </DataConnector>