Custom name identifiers have the following properties:
Property | Value |
---|---|
longevity | arbitrary, but usually somewhat long-lived |
transparency | arbitrary |
targeted | not usually |
revokable | by default, the IdP isn't able to reverse the mapping at all |
reassignable | arbitrary |
A custom name identifier is typically created in two steps:
<resolver:AttributeDefinition id="customId" xsi:type="Simple" sourceAttributeID="uid" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:Dependency ref="DEFINITION_ID_1" /> <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </resolver:AttributeDefinition> |
The |
The example above is merely one approach. Anything you can attach the necessary encoders to can be turned into an identifier, as long as you're willing to break the reverse mapping capability of the IdP or produce the necessary PrincipalConnector
yourself.
Finally, define an attribute filter policy that releases the internal attribute to the intended relying parties.
<AttributeFilterPolicy id="releaseCustomIdToPartner"> <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://sp.example.org/shibboleth" /> <AttributeRule attributeID="customId"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> |