In deployments that can accomodate the use of a database, the stored ID data connector is strongly recommended as an alternative to this connector because of the additional deployment flexibility it offers to change, revoke, and reverse-map the identifiers. Deployers should be aware that the computed ID data connector cannot be used to generate SAML name identifiers in conjunction with profiles that require reverse-mapping the identifier back into a user identity. This mainly involves attribute queries (typically for legacy Shibboleth 1.x SPs). |
This connector is used to create a unique identifier by computing the SHA-1 hash of the attribute requester's entity ID, a value of a given attribute, and a salt. These IDs are normally used as user identifiers because of their properties:
The IDs generated by this connector are compatible with those created by the Shibboleth 1 persistent ID and SAML2 persistent ID attribute definitions.
To define a new computed ID data connector, create a <DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
element with the following attributes:
The connector also supports the following, optional, attribute:
It is recommended that the attribute given by |
This data connector requires exactly one dependency, which provides the attribute identified by the sourceAttributeID attribute.
Dependencies are expressed by the <resolver:Dependency>
with a ref
attribute whose value is the unique ID of the attribute definition or the data connector that this connector depends on.
<resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="UNIQUE_ID" sourceAttributeID="SOME_ID" salt="ThisIsRandomText"> <resolver:Dependency ref="DEFINITION_ID_1" /> </resolver:DataConnector> |