The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute and to generate SAML 2.0 "persistent" NameID values. The original Attribute use case is essentially deprecated because SAML 1 itself is a legacy standard and because the use of the Attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported for use with the new SAML SubjectID specification's "pairwise-id" replacement for all these legacy approaches.

That said, we strongly suggest considering use of the ComputedId DataConnector, which is much less troublesome. When you inevitably find that the database approach lacks reliability, there won't be a lot you can do about it if you have services relying on the values. Start with the hashing approach and only then really consider whether you need anything else.

Overview

The StoredId DataConnector generates a single-valued IdPAttribute whose value is persistent, opaque, and unique per user and per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedId DataConnector, but at the additional cost of a read/write data store that must be highly available and perfectly consistent.

The source attribute value and relying party are looked up in a table and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedId DataConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.

This layered approach allows a transition between the two methods of generation and potentially allows for the database-backed approach to be tested for reliability before fully committing to it while providing a backout strategy.

Database Configuration

The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that feature and this one by defining the data source globally and referencing it via the <BeanManagedConnection> element.

Reference

Example

<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="StoredId" sourceAttributeID="email">
   <BeanManagedConnection>TheDataConnectorId</BeanManagedConnection>
</DataConnector>
  • No labels