Computed ID Data Connector

In deployments that can accomodate the use of a database, the stored ID data connector is strongly recommended as an alternative to this connector because of the additional deployment flexibility it offers to change, revoke, and reverse-map the identifiers.

Deployers should be aware that the computed ID data connector cannot be used to generate SAML name identifiers in conjunction with profiles that require reverse-mapping the identifier back into a user identity. This mainly involves attribute queries (typically for legacy Shibboleth 1.x SPs).

This connector is used to create a unique identifier by computing the SHA-1 hash of the attribute requester's entity ID, a value of a given attribute, and a salt. These IDs are normally used as user identifiers because of their properties:

each requester receives a unique, opaque, identifier preventing multiple requesters from performing any correlation attacks
each requester always get the same ID so they may associate user preferences with the ID

The IDs generated by this connector are compatible with those created by the Shibboleth 1 persistent ID and SAML2 persistent ID attribute definitions.

1. Define the Connector

To define a new computed ID data connector, create a <DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> element with the following attributes:

id - a unique identifier for the data connector
sourceAttributeID - the ID of an attribute, provided by a dependency, whose first value will be used within the computed ID hash
salt - a string of random data; must be at least 16 characters, 48 characters is recommended

The connector also supports the following, optional, attribute:

generatedAttributeID - the ID of the attribute created by the data connector, the default value is "computedId"

It is recommended that the attribute given by sourceAttributeID be a non-reassigned value, unique to each user. Usage of such a value effectively eliminates problems that may occur if a value is reassigned and a service provider has not cleaned out state from the previous owner of that ID. Many uses of this data require that the resulting value have a non-reassignment property.

2. Define Dependencies

This data connector requires exactly one dependency, which provides the attribute identified by the sourceAttributeID attribute.

Dependencies are expressed by the <resolver:Dependency> with a ref attribute whose value is the unique ID of the attribute definition or the data connector that this connector depends on.

<resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                        id="UNIQUE_ID"
                        sourceAttributeID="SOME_ID"
                        salt="ThisIsRandomText">

     <resolver:Dependency ref="DEFINITION_ID_1" />
</resolver:DataConnector>