The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

StoredIdConnector

Owned by Rod Widdowson
Last updated: Jul 14, 2021 by Scott Cantor

This data connector was historically used to produce both the "eduPersonTargetedID" SAML Attribute, which contains a SAML <NameID> element in its values, and to generate SAML 2.0 "persistent" NameID values. The attribute use case is itself generally deprecated because SAML 1 itself is a legacy standard and because the use of the attribute in SAML 2 is both redundant, and overly complex. The NameID use case has been replaced by an equivalent NameID "generator" (see the NameIDGenerationConfiguration topic).

The connector remains supported to facilitate future compliance with emerging profiles for SAML subject identification the Shibboleth community hopes will replace the older options.

The StoredId data connector generates an attribute whose value is persistent, opaque, and unique per user, per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedIdConnector, but at the additional cost of a read/write data store that must be highly available.

The source attribute value and relying party are looked up in a table named shibpid, and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedIdConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.

Schema Name and Location

This xsi:type is defined by the urn:mace:shibboleth:2.0:resolver schema 3.3, located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd.

Prior to V3.3 supplied plugins were defined by a schema type (xsi:type) in the urn:mace:shibboleth:2.0:resolver:dc namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd. This is still supported, but every element or type in the  urn:mace:shibboleth:2.0:resolver:dc namespace has an equivalently named (but not necessarily identical) version in the urn:mace:shibboleth:2.0:resolver namespace. The use of the urn:mace:shibboleth:2.0:resolver namespace also allows a relaxation of the ordering requirements of child elements to reduce strictness.

Attributes

Any of the common attributes can be specified. In addition the following attributes are supported:

NameTypeDefaultDescription

sourceAttributeID

string

DEPRECATED: ID of the IdPAttribute used as input to the connector

The the source attribute should now be supplied using the <InputAttributeDefinition> and <InputDataConnector> elements.

generatedAttributeID   

stringID of the connectorID of the IdPAttribute generated

salt

string
Salt, of at least 16 bytes, used in computing initial values

encoding 3.3.2

stringBASE64Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration)

queryTimeout

XML Duration or a number of milliseconds

PT5STimeout for the queries made against the database

transactionRetries 3.2.1

integer3Number of retries if insertion fails due to database transaction bugs

failFast 3.2.1

booleanfalseWhether to strictly verify the database's availability and primary key during startup

retryableErrors 3.2.1

space-delimited list of strings23000 23505SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs

springResource

resource

Deprecated, use the <BeanManagedConnection> element instead

Child Elements

Any of the common child elements can be specified. In addition, one of the following may be provided if the deprecated springResource attribute is not provided.

NameCardinalityDescription

<ContainerManagedConnection>


0 or 1 (all elements)

Connects to a database via a JNDI resource defined in the container

<ApplicationManagedConnection>

DEPRECATED

Connects to a database via a JDBC data source configured explicitly

<BeanManagedConnection> 3.1

Connects to a database via an externally specified DataSource

Example

<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="ComputedID" sourceAttributeID="email">
   <BeanManagedConnection>TheDataConnectorId</BeanManagedConnection>
</DataConnector>
<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="ComputedID" sourceAttributeID="email">
   <ApplicationManagedConnection
	   jdbcURL="jdbc:hsqldb:mem:storedId" 
       jdbcDriver="org.hsqldb.jdbc.JDBCDriver" 
       jdbcUserName="SA" jdbcPassword="nottelling"/>
</DataConnector>

Database Configuration

The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that mechanism and this deprecated mechanism by defining the data source globally and referencing it via the <BeanManagedConnection> element.

Spring Configuration 3.1

You can use the <BeanManagedConnection> to specify a data source defined separately.