The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

TransientPrincipalConnector

Owned by Former user (Deleted)
Last updated: Apr 01, 2015 by IAM David Bantz
1 min read

Transient Principal Connector

The transient principal connector determines the principal associated with a name identifier by looking up the principal in the mapping established by the transient ID attribute definition. If the name identifier was not generated by this attribute definition, then the resolution of the principal name will fail.

Define the Connector

The connector is defined with the element <resolver:PrincipalConnector xsi:type="pc:Transient" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"> with the following required attribute:

  • id - assigns a unique, within the resolver, identifier
  • nameIDFormat - the name identifier format handled by this principal connector
Transient Principal Connector Example
<resolver:PrincipalConnector id="SAML1_UNIQUE_ID" xsi:type="pc:Transient" 
                             nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>

 
<resolver:PrincipalConnector id="SAML2_UNIQUE_ID" xsi:type="pc:Transient" 
                             nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />

Since SAML 1 and SAML 2 use two different names to refer to a transient identifier two principal connectors usually need to be defined. One with a name format of urn:mace:shibboleth:1.0:nameIdentifier and the other with a name format of urn:oasis:names:tc:SAML:2.0:nameid-format:transient