Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute and to generate SAML 2.0 "persistent" NameID values. The original Attribute use case is essentially deprecated because SAML 1 itself is a legacy standard and because the use of the Attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported for use with the new SAML SubjectID specification's "pairwise-id" replacement for all these legacy approaches.

That said, we strongly suggest considering use of the ComputedId DataConnector, which is much less troublesome. When you inevitably find that the database approach lacks reliability, there won't be a lot you can do about it if you have services relying on the values. Start with the hashing approach and only then really consider whether you need anything else.

Overview

The StoredId DataConnector generates a single-valued IdPAttribute whose value is persistent, opaque, and unique per user and per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedId DataConnector, but at the additional cost of a read/write data store that must be highly available and perfectly consistent.

The source attribute value and relying party are looked up in a table and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedId DataConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.

This layered approach allows a transition between the two methods of generation and potentially allows for the database-backed approach to be tested for reliability before fully committing to it while providing a backout strategy.

Database Configuration

The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that feature and this one by defining the data source globally and referencing it via the <BeanManagedConnection> element.

Reference

 Specific XML Attributes

Name

Type

Default

Description

generatedAttributeID   

string

ID of the connector

ID of the IdPAttribute generated

salt OR encodedSalt

string


A salt, of at least 16 bytes, used in the computation. Must be directly provided or in a base64-encoded form, but one must be set. The encoded option allows for binary characters, whitespace, or other difficult to capture content in the salt.

encoding

string

BASE64

Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)

queryTimeout

Duration

PT5S

Timeout for the queries made against the database

transactionRetries

integer

3

Number of retries if insertion fails due to database transaction bugs

tableName 4.1

string

shibpid

Overrides name of database table to use

failFastInitialize

boolean

false

Whether a failure when verifying the database's availability and primary key during startup is fatal (prevents the AttributeResolver service from starting or the configuration from reloading)

retryableErrors

space-delimited list of strings

23000 23505

SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs

exceptionMapRef

Bean ID


References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic.

 Specific XML Elements

One of the following MUST be provided:

Name

Cardinality

Description

<ContainerManagedConnection>


0 or 1 (all elements)

Connects to a database via a JNDI resource defined in the container

<SimpleManagedConnection>

Connects to a database via a JDBC data source configured explicitly

<BeanManagedConnection>

Connects to a database via an externally specified DataSource



 Common XML Attributes

Name

Type

Default

Description

id

String


Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover.

activationConditionRef

Bean ID


Bean ID of a condition to decide whether to resolve this connector, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants

relyingParties

Space-delimited list


List of entity IDs for which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeRelyingParties 4.1

Space-delimited list


List of entity IDs for which this connector should not be resolved.
Mutually exclusive with activationConditionRef

resolutionPhases 4.1

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeResolutionPhases 4.1

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should not be resolved.
Mutually exclusive with activationConditionRef

exportAttributes

Space-delimited list


List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions.

In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued.

noRetryDelay

Duration

0

Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted)

propagateResolutionExceptions

Boolean

true

Whether connector/plugin failure is fatal to the entire attribute resolution process

The following table contains advanced settings rarely used in common practice.

Name

Type

Description

springResources

String

A series of ';' separated resource names which contain Spring definitions for this connector.

Not valid for ComputedId and Stored DataConnector and DEPRECATED for use with Scripted DataConnector

springResourcesRef

Bean ID

Bean ID of a List<Resource> which contain Spring definitions for this connector. See below.
Not valid for Computed and Stored DataConnector

factoryPostProcessorsRef

Bean ID

Bean ID of a List<BeanFactoryPostProcessor> for use when parsing the resources specified by springResources or springResourcesRef

postProcessorsRef

Bean ID

Bean ID of a List<BeanPostProcessor> for use when parsing the resources specified by springResources or springResourcesRef

profileContextStrategyRef

Bean ID

Bean ID of a function injected to override the normal lookup process for the request's ProfileRequestContext


 Common XML Elements

Name

Cardinality

Description

<InputAttributeDefinition>

0 or more

This element identifies an attribute definition which is an input to this data connector

<InputDataConnector>

0 or more

This element identifies a data connector whose attributes are to be input to this data conector

<FailoverDataConnector>   

0 or 1

This element has a single attribute ref="whatever" whose content is the identifier of a data connector to resolve if this data connector fails (for instance due to the external data source being unavailable)


Example

<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="StoredId" sourceAttributeID="email">
   <BeanManagedConnection>TheDataConnectorId</BeanManagedConnection>
</DataConnector>


  • No labels