Namespace: urn:mace:shibboleth:2.0:resolver

This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute and to generate SAML 2.0 "persistent" NameID values. The original Attribute use case is essentially deprecated because SAML 1 itself is a legacy standard and because the use of the Attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported for use with the new SAML SubjectID specification's "pairwise-id" replacement for all these legacy approaches.

That said, we strongly suggest considering use of the ComputedId DataConnector, which is much less troublesome. When you inevitably find that the database approach lacks reliability, there won't be a lot you can do about it if you have services relying on the values. Start with the hashing approach and only then really consider whether you need anything else.


The StoredId DataConnector generates a single-valued IdPAttribute whose value is persistent, opaque, and unique per user and per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedId DataConnector, but at the additional cost of a read/write data store that must be highly available and perfectly consistent.

The source attribute value and relying party are looked up in a table and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedId DataConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.

This layered approach allows a transition between the two methods of generation and potentially allows for the database-backed approach to be tested for reliability before fully committing to it while providing a backout strategy.

Database Configuration

The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that feature and this one by defining the data source globally and referencing it via the <BeanManagedConnection> element.








ID of the connector

ID of the IdPAttribute generated

salt OR encodedSalt


A salt, of at least 16 bytes, used in the computation. Must be directly provided or in a base64-encoded form, but one must be set. The encoded option allows for binary characters, whitespace, or other difficult to capture content in the salt.




Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)




Timeout for the queries made against the database




Number of retries if insertion fails due to database transaction bugs

tableName 4.1



Overrides name of database table to use




Whether a failure when verifying the database's availability and primary key during startup is fatal (prevents the AttributeResolver service from starting or the configuration from reloading)


space-delimited list of strings

23000 23505

SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs


Bean ID

References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic.

One of the following MUST be provided:





0 or 1 (all elements)

Connects to a database via a JNDI resource defined in the container


Connects to a database via a JDBC data source configured explicitly


Connects to a database via an externally specified DataSource


<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="StoredId" sourceAttributeID="email">