{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"This document hasn’t been peer-reviewed. Your mileage may vary!","type":"text"}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"cd833413-788c-4fb0-b51f-a661f2b246f7"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"fc842886-aaf9-491c-9ef8-ef51be3d8665"}},{"type":"paragraph","content":[{"text":"There are many reasons why you may be using the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631589"}},{"text":" but may also wish to move away from it. ","type":"text"}]},{"type":"paragraph","content":[{"text":"In moving away to a purely ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631565"}},{"text":" you risk losing the existing persistent IDs that your users may be relying on to get access to resources.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Configuration Changes","type":"text"}]},{"type":"paragraph","content":[{"text":"It’s possible to configure the IdP to:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check the existing StoredID database for a value and return it if present","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If a value is not present, request one from the ComputedID generator instead","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"An approximation in pseudo-code:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"pas"},"content":[{"text":"stored_id = get_stored_value(user, service);\nif is_defined(stored_id)\n then return stored_id;\n else return get_computed_value(user, service);","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Caveats","type":"text"}]},{"type":"paragraph","content":[{"text":"This example uses SQLite as a target database engine for the (read-only) data set. Firstly because it’s really simple. Secondly, if you’re making this jump then no “new” data will be added to the database so the file can be statically deployed to your IdP nodes with no need to worry about another RDBMS and replication etc.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Starting Point","type":"text"}]},{"type":"paragraph","content":[{"text":"This assumes you have a working StoredID connector servicing requests for persistent IDs, for example:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n sqlite-dataconnector\n","type":"text"}]},{"type":"paragraph","content":[{"text":"This configuration will be happily producing values by first looking them up in the database, returning the value if it’s present and, otherwise, generating one, storing it and returning it. These values may be used for seeding SAML 2.0 persistent NameIDs or the new pairwise-id SAML Attribute.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Changes","type":"text"}]},{"type":"paragraph","content":[{"text":"Switching this basic config to the desired model… I’ve switched from the examples generating ","type":"text"},{"text":"storedID","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"persistentId","type":"text","marks":[{"type":"code"}]},{"text":" as it’s more descriptive.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Add the ComputedID Connector","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Be sure to use the same salt, which may be configured as a property elsewhere.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Add the new RelationalDatabase Connector","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"This new data connector will be queried first and will return an error if no results are available from the database. This signals to the resolver to try the ","type":"text"},{"text":"Failover","type":"text","marks":[{"type":"em"}]},{"text":" connector.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"SELECT","type":"text","marks":[{"type":"code"}]},{"text":" statement looks up the required value based on the requesting Service Provider and the principal already. You may need to tweak this for your setup depending on what’s being used now.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Update any Dependent Settings","type":"text"}]},{"type":"paragraph","content":[{"text":"In this step, adjust any dependent Attribute Definitions or NameID generation properties to reference to new “persistentId” attribute.","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Reviewing Existing Data for Mismatches","type":"text"}]},{"type":"paragraph","content":[{"text":"It’s possible to get the RDBMS to evaluate all your existing records and report which are ","type":"text"},{"text":"wrong","type":"text","marks":[{"type":"em"}]},{"text":" (in that if they were regenerated now, the ","type":"text"},{"text":"persistentId","type":"text","marks":[{"type":"code"}]},{"text":" would be different).","type":"text"}]},{"type":"paragraph","content":[{"text":"This process is specifically for MySQL but the general principle should port to other database engines (the function calls may be different!). I’ve also assumed that you’re using ","type":"text"},{"text":"BASE64","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"SHA1","type":"text","marks":[{"type":"code"}]},{"text":" so you may need to tweak the query for your specific circumstances.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Create a temporary table with salt","type":"text"}]},{"type":"paragraph","content":[{"text":"In creating a ","type":"text"},{"text":"TEMPORARY","type":"text","marks":[{"type":"code"}]},{"text":" table, the data stays in memory only, doesn’t persist outside of the session you’re using and isn’t written to transaction logs.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"sql"},"content":[{"text":"CREATE TEMPORARY TABLE salt (\n\tid integer primary key not null,\n\tsalt varchar(1024)\n);\n\nINSERT INTO salt VALUES (0, 'EXISTING SALT VALUE');","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Compare the data","type":"text"}]},{"type":"paragraph","content":[{"text":"This query recalculates the ","type":"text"},{"text":"persistentId","type":"text","marks":[{"type":"code"}]},{"text":" for all existing records in the database and compares that with the one already in the database and only reports mismatches:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"sql"},"content":[{"text":"SELECT * FROM (\n SELECT\n c.localEntity,\n c.peerEntity,\n c.persistentId,\n c.principalName,\n c.localId,\n c.creationDate,\n TO_BASE64(\n UNHEX(\n SHA1(\n CONCAT( c.peerEntity, '!', c.localId, '!', s.salt )\n )\n )\n ) as computedId\n FROM shibpid c\n JOIN salt s WHERE s.id=0\n) generate_pids \nWHERE persistentId <> computedId;","type":"text"}]},{"type":"paragraph"}],"version":1}

Browser not supported