Configuring a SAML 2 Persistent ID Attribute Definition

This plugin provides a very basic implementation of SAML 2.0 persistent identifiers. It creates these by hashing the user's principal ID, service provider ID, and a salt. This provides an opaque identifier, unique to each principal/service provider tuple.

Attribute Definition Basics

All attribute definitions are configured in the IdP's resolver.xml file.

Basic Attributes

Each attribute definition supports the following basic XML attributes in their definition:

id - (required) used by the definition to determine its source, or input, attribute and by other definitions and data connectors to refer to this definition
sourceName - (optional) used to explicitly specify the name of the source, or input, attribute used by the definition

Source Attributes

Most attribute definitions transform other attributes. A definition will determine the name of its source attribute in the following way:

If sourceName is present use an attribute whose name exactly matches the given source name
Use an attribute whose name exactly matches the definitions id
Use an attribute whose name exactly matches the last token of the definitions id split on / or :

Configuring the Definition

Create a SAML2PersistentID element with its id attribute and the following attribute:
- sourceName - the name of the attribute
Create a Salt element, child of SAML2PersistentID, whose content is a 16 or more character secret. You may wish to place this data in a CDATA section to ensure this string does not interfere with the XML processing.

Example Configuration

<SAML2PersistentID id="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" sourceName="guid">
	 <DataConnectorDependency requires="directory"/>
	 <Salt><![CDATA[f83(k4K*397ke.2d9vD8214+-]]></Salt>
</SAML2PersistentID>

Advanced Configuration

You may also use an existing secret key, stored in a Java keystore, as the salt. To do this remove the content of the Salt element and add the following attributes:

keyStorePath - the full path to the java keystore file
keyStorePassword - the password of the key store
keyStoreKeyAlias - the alias/name of the secret key in the key store
keyStoreKeyPassword - the password used to decrypt the secret key

Browser not supported