You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 19
Next »
Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
Overview
The ComputedId DataConnector generates a single-valued IdPAttribute from the (usually SHA-1) digest of a requester's name (in SAML, an entityID), a source attribute value, and a salt that must be kept secret to prevent off-line generation of the hashes to recover the underlying attribute value.
The attribute value is therefore opaque and unique per user, per relying party, suitable for use as a SAML "persistent" NameID or "pairwise-id" Subject Attribute and OpenID “sub” claim.
In advanced scenarios, the input to the hash can vary from the requester's identity to a different value that may be associated with the requester, allowing for multiple requesters to receive the same value. This is all "internal" to the system and is not part of the configuration of the connector, it simply does the right thing in these cases.
Reference
Specific XML Attributes
Name | Type | Req? | Default | Description |
|---|
generatedAttributeID | string | | ID of the connector | The id of the IdPAttribute that is produced |
salt OR encodedSalt | string | Y | | A salt, of at least 16 bytes, used in the computation. Must be directly provided or in a base64-encoded form, but one must be set. The encoded option allows for binary characters, whitespace, or other difficult to capture content in the salt. |
encoding
| string | | BASE64 | Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration) |
algorithm | string | | SHA | Controls the digest algorithm applied |
exceptionMapRef | Bean ID | |
| References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic. |
Common XML Attributes
Name | Type | Default | Description |
|---|
id | String |
| Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover. |
activationConditionRef | Bean ID |
| Bean ID of a condition to decide whether to resolve this connector, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants |
relyingParties | Space-delimited list |
| List of entity IDs for which this connector should be resolved.
Mutually exclusive with activationConditionRef |
excludeRelyingParties 4.1 | Space-delimited list |
| List of entity IDs for which this connector should not be resolved.
Mutually exclusive with activationConditionRef |
resolutionPhases 4.1 | Space-delimited list |
| List of resolution phases (i.e. flows) during which this connector should be resolved.
Mutually exclusive with activationConditionRef |
excludeResolutionPhases 4.1 | Space-delimited list |
| List of resolution phases (i.e. flows) during which this connector should not be resolved.
Mutually exclusive with activationConditionRef |
exportAttributes | Space-delimited list |
| List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions. In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued. |
noRetryDelay | Duration | 0 | Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted) |
propagateResolutionExceptions | Boolean | true | Whether connector/plugin failure is fatal to the entire attribute resolution process |
Name | Type | Description |
|---|
springResources | String | DEPRECATED in 4.3 A series of ';' separated resource names which contain Spring definitions for this connector. Not valid for ComputedId and Stored DataConnector. |
springResourcesRef | Bean ID | DEPRECATED in 4.3 Bean ID of a List<Resource> which contain Spring definitions for this connector. See below.
Not valid for Computed and Stored DataConnector |
factoryPostProcessorsRef | Bean ID | DEPRECATED in 4.3 Bean ID of a List<BeanFactoryPostProcessor> for use when parsing the resources specified by springResources or springResourcesRef |
postProcessorsRef | Bean ID | DEPRECATED in 4.3 Bean ID of a List<BeanPostProcessor> for use when parsing the resources specified by springResources or springResourcesRef |
profileContextStrategyRef | Bean ID | DEPRECATED in 4.3 Bean ID of a function injected to override the normal lookup process for the request's ProfileRequestContext |
Common XML Elements
Name | Cardinality | Description |
|---|
<InputAttributeDefinition> | 0 or more | This element identifies an attribute definition which is an input to this data connector |
<InputDataConnector> | 0 or more | This element identifies a data connector whose attributes are to be input to this data conector |
<FailoverDataConnector>
| 0 or 1 | This element has a single attribute ref="whatever" whose content is the identifier of a data connector to resolve if this data connector fails (for instance due to the external data source being unavailable) |
Example
The example produces a hashed value using an input attribute "Foo" from a DataConnector named "DataSourceForFoo".
<DataConnector id="ComputedIDConnector" xsi:type="ComputedId"
generatedAttributeID="ComputedID"
salt="abcdefghijklmnopqrstuvwxyz"
encoding="BASE32">
<InputDataConnector ref="DataSourceForFoo" attributeNames="Foo" />
</DataConnector>