The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

ResolverCryptoTransientIDAttributeDefinition

Owned by Scott Cantor
Last updated: May 22, 2011 by trscavo@internet2.eduVersion comment
2 min read

Crypto Transient ID Attribute Definition

Available in IdP 2.3 and later, this attribute definition produces a cryptographically verifiable opaque identifier that can later be mapped back to the user by a CryptoTransient principal connector. Using cryptographic transient identifiers allows multiple IdP nodes that share a symmetric key to produce and consume identifiers without sharing state. This is part of a stateless clustering solution.

Provide a DataSealer

The cryptographic settings needed for this plugin are supplied by a DataSealer, a Java bean component that you configure and then inject into the resolver.

Define the Definition

A crypto transient ID attribute definition starts with the same <resolver:AttributeDefinition> element as all other attribute definitions and has a type attribute of xsi:type="ad:CryptoTransientId". Each definition must also have an id attribute that assigns it an unique identifier (i.e., unique among all attribute definitions) used to refer to the definition within the rest of the attribute resolver configuration.

The <resolver:AttributeDefinition> element must also contain a dataSealerRef attribute that identifies a DataSealer Spring-configured bean. It may also contain a lifetime attribute controlling the length of time the identifier will be valid. This time limit is encrypted into the value.

Crypto Transient ID Attribute Definition
 
<resolver:AttributeDefinition id="cryptoTransientId" xsi:type="ad:CryptoTransientId"
                              xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" 
                              dataSealerRef="shibboleth.TransientIDDataSealer" 
                              lifetime="PT3M"> 

    <resolver:AttributeEncoder xsi:type="encoder:SAML1StringNameIdentifier"
                               xmlns:encoder="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>

    <resolver:AttributeEncoder xsi:type="encoder:SAML2StringNameID"
                               xmlns:encoder="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</resolver:AttributeDefinition>

While this attribute definition can have dependencies, like all other attribute definitions, they are never used. The transient ID comes exclusively from internal IdP state.