Available in IdP 2.3 and later, this principal connector determines the principal associated with a name identifier by decrypting and verifying values produced by the CryptoTransientId attribute definition. If the name identifier was not generated by this attribute definition, then the resolution of the principal name will fail.
Using cryptographic transient identifiers allows multiple IdP nodes that share a symmetric key to produce and consume identifiers without sharing state. This is part of a stateless clustering solution.
The cryptographic settings needed for this plugin are supplied by a DataSealer, a Java bean component that you configure and then inject into the resolver.
The connector is defined with the element <resolver:PrincipalConnector xsi:type="pc:CryptoTransient" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"> with the following required attributes:
<resolver:PrincipalConnector id="shibCryptoTransient" xsi:type="pc:CryptoTransient"
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
dataSealerRef="shibboleth.TransientIDDataSealer"
nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
<resolver:PrincipalConnector id="saml2CryptoTransient" xsi:type="pc:CryptoTransient"
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
dataSealerRef="shibboleth.TransientIDDataSealer"
nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
|
Since SAML 1 and SAML 2 use two different names to refer to a transient identifier, two principal connectors may need to be defined, one with a name format of |