Transient Name Identifier
Transient name identifiers have the following properties:
Property |
Value |
---|---|
longevity |
transient, 5 minute lifetime |
transparency |
opaque |
scoped |
no |
targeted |
no |
revokable |
yes, ID automatically revoked after 5 minutes |
reusable |
yes |
Define the Attribute
Transient name identifier attributes are created in two steps:
- Create a transient ID attribute definition that creates the transient ID value.
- Attach SAML 1 Name Identifier and SAML 2 NameID attribute encoder to the attribute.
<resolver:AttributeDefinition id="transientId" xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" /> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </resolver:AttributeDefinition>
The name format for a transient ID in SAML 1 is urn:mace:shibboleth:1.0:nameIdentifier
and in SAML 2 is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Release the Attribute
Finally, define an attribute filter policy that releases the transient ID to the intended relying parties. Since transient IDs are opaque, and thus not personally identifiable, they are safe to release to anyone. Therefore the following attribute filter policy is suggested but others may be used at the deployer's discretion.
<AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy>