CryptoTransient Principal Connector

Available in IdP 2.3 and later, this principal connector determines the principal associated with a name identifier by decrypting and verifying values produced by the CryptoTransientId attribute definition. If the name identifier was not generated by this attribute definition, then the resolution of the principal name will fail.

Using cryptographic transient identifiers allows multiple IdP nodes that share a symmetric key to produce and consume identifiers without sharing state. This is part of a stateless clustering solution.

Provide a DataSealer

The cryptographic settings needed for this plugin are supplied by a DataSealer, a Java bean component that you configure and then inject into the resolver.

Define the Connector

The connector is defined with the element <resolver:PrincipalConnector xsi:type="pc:CryptoTransient" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"> with the following required attributes:

id - assigns a unique, within the resolver, identifier
nameFormat - the name identifier format serviced by this principal connector
dataSealerRef - identifies a DataSealer Spring-configured bean.

Crypto Transient Principal Connector Example

<resolver:PrincipalConnector id="shibCryptoTransient" xsi:type="pc:CryptoTransient" 
                             xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" 
                             dataSealerRef="shibboleth.TransientIDDataSealer"
                             nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
                             
<resolver:PrincipalConnector id="saml2CryptoTransient" xsi:type="pc:CryptoTransient" 
                             xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" 
                             dataSealerRef="shibboleth.TransientIDDataSealer"
                             nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

Since SAML 1 and SAML 2 use two different names to refer to a transient identifier, two principal connectors may need to be defined, one with a name format of urn:mace:shibboleth:1.0:nameIdentifier and the other with a name format of urn:oasis:names:tc:SAML:2.0:nameid-format:transient as shown above