Persistent Name Identifier

Persistent name identifiers have the following properties:

Property

Value

longevity

persistent

transparency

opaque

targeted

yes

revokable

yes

reassignable

no

Define the Attribute

Persistent name identifier attributes are created in three steps:

  1. Create a Stored ID data connector. This data connector is responsible for creating the persistent value for the name identifier.
  2. Create a simple attribute definition that turns the value of the stored ID in to an attribute.
  3. Attach SAML 1 Name Identifier and SAML 2 NameID attribute encoder to the attribute.
<resolver:AttributeDefinition id="persistentId" xsi:type="Simple"
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              sourceAttributeID="storedId">

    <resolver:Dependency ref="StoredId"/>

    <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />

    <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</resolver:AttributeDefinition>

<resolver:DataConnector xsi:type="StoredId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                        id="StoredId"
                        sourceAttributeID="uid"
                        salt="kd89lkalkcv2f09fjs3v981298fkfjkgri">

     <resolver:Dependency ref="ldap" />

     <!-- database connection settings go here -->

</resolver:DataConnector>

The name format for a persistent ID in SAML 2.0 is "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". There is no standard SAML 1.1 <NameIdentifier> format that corresponds to this concept, so it's suggested to stick with encoding the information into a SAML attribute.

Release the Attribute

Finally, define an attribute filter policy that releases the persistent ID to the intended relying parties. Since persistent IDs are opaque, and thus not personally identifiable, they are safe to release to anyone. Therefore the following attribute filter policy is suggested but others may be used at the deployer's discretion.

<AttributeFilterPolicy id="releasePersistentIdToAnyone">

    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="persistentId">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>

Use the attribute

One special use case of the persistent name identifier is Account Checking which allows an SP administrator to determine whether a user, identified by a given persistent name identifier, still has the necessary attributes to use a service. Users that no longer have the required attributes can then be cleaned up.