This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute, which contains a SAML <NameID> element in its values, and to generate SAML 2.0 "persistent" NameID values. The attribute use case is itself generally deprecated because SAML 1 itself is a legacy standard and because the use of the attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported to facilitate future compliance with emerging profiles for SAML subject identification the Shibboleth community hopes will replace the older options.

The StoredId data connector generates an attribute whose value is persistent, opaque, and unique per user, per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedIdConnector, but at the additional cost of a read/write data store that must be highly available.

The source attribute value and relying party are looked up in a table named shibpid, and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedIdConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.

Schema Name and Location

This xsi:type is defined by the urn:mace:shibboleth:2.0:resolver schema^3.3, located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd .

Prior to V3.3 supplied plugins were defined by a schema type (xsi:type) in the urn:mace:shibboleth:2.0:resolver:dc namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd. This is still supported, but every element or type in the urn:mace:shibboleth:2.0:resolver:dc namespace has an equivalently named (but not necessarily identical) version in the urn:mace:shibboleth:2.0:resolver namespace. The use of the urn:mace:shibboleth:2.0:resolver namespace also allows a relaxation of the ordering requirements of child elements to reduce strictness.

Attributes

Any of the common attributes can be specified. In addition the following attributes are supported:

Name	Type	Default	Description
`sourceAttributeID`	string		DEPRECATED: ID of the IdPAttribute used as input to the connector The the source attribute should now be supplied using the `<InputAttributeDefinition>` and `<InputDataConnector>` elements.
`generatedAttributeID`	string	ID of the connector	ID of the IdPAttribute generated
`salt`	string		Salt, of at least 16 bytes, used in computing initial values
`encoding`^3.3.2	string	BASE64	Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)
`queryTimeout`	XML Duration or a number of milliseconds	PT5S	Timeout for the queries made against the database
`transactionRetries` ^3.2.1	integer	3	Number of retries if insertion fails due to database transaction bugs
`failFast` ^3.2.1	boolean	false	Whether to strictly verify the database's availability and primary key during startup
`retryableErrors` ^3.2.1	space-delimited list of strings	23000 23505	SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs
`springResource`	resource		Deprecated, use the <BeanManagedConnection> element instead

Child Elements

Any of the common child elements can be specified. In addition, one of the following may be provided if the deprecated springResource attribute is not provided.

Name Cardinality Description

<ContainerManagedConnection>

0 or 1 (all elements)

Connects to a database via a JNDI resource defined in the container

<ApplicationManagedConnection>

DEPRECATED

Connects to a database via a JDBC data source configured explicitly

<BeanManagedConnection>^3.1

Connects to a database via an externally specified DataSource

Example

<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="ComputedID" sourceAttributeID="email">
   <BeanManagedConnection>TheDataConnectorId</BeanManagedConnection>
</DataConnector>

<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="ComputedID" sourceAttributeID="email">
   <ApplicationManagedConnection
	   jdbcURL="jdbc:hsqldb:mem:storedId" 
       jdbcDriver="org.hsqldb.jdbc.JDBCDriver" 
       jdbcUserName="SA" jdbcPassword="nottelling"/>
</DataConnector>

Database Configuration

The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that mechanism and this deprecated mechanism by defining the data source globally and referencing it via the <BeanManagedConnection> element.

Spring Configuration ^3.1

You can use the <BeanManagedConnection> to specify a data source defined separately.

Browser not supported