ComputedIdConnector

The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.

ComputedIdConnector

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

The ComputedId DataConnector generates a single-valued IdPAttribute from the (usually SHA-1) digest of a requester's name (in SAML, an entityID), a source attribute value, and a salt that must be kept secret to prevent off-line generation of the hashes to recover the underlying attribute value.

The attribute value is therefore opaque and unique per user, per relying party, suitable for use as a SAML "persistent" NameID or "pairwise-id" Subject Attribute and OpenID “sub” claim.

In advanced scenarios, the input to the hash can vary from the requester's identity to a different value that may be associated with the requester, allowing for multiple requesters to receive the same value. This is all "internal" to the system and is not part of the configuration of the connector, it simply does the right thing in these cases.

Reference

Example

The example produces a hashed value using an input attribute "Foo" from a DataConnector named "DataSourceForFoo".

<DataConnector id="ComputedIDConnector" xsi:type="ComputedId"  generatedAttributeID="ComputedID" salt="abcdefghijklmnopqrstuvwxyz" encoding="BASE32"> <InputDataConnector ref="DataSourceForFoo" attributeNames="Foo" /> </DataConnector>