You are viewing an old version of this page. View the current version.
Compare with Current
View Version History
Version 1
Next »
Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
Overview
The StoredId DataConnector generates a single-valued IdPAttribute whose value is persistent, opaque, and unique per user and per relying party. The value generated is stored in a database, which allows features such as reverse-lookup that are not supported by the ComputedId DataConnector, but at the additional cost of a read/write data store that must be highly available and perfectly consistent.
The source attribute value and relying party are looked up in a table and if a value is found, it is returned. Otherwise, if a salt is provided, then an initial value is calculated as for the ComputedId DataConnector. If no salt is provided, then a random value is generated. In either case, the result is stored in the database for future use.
This layered approach allows a transition between the two methods of generation and potentially allows for the database-backed approach to be tested for reliability before fully committing to it while providing a backout strategy.
Database Configuration
The database definition required is the same as that described in the PersistentNameIDGenerationConfiguration documentation. You can (and usually should) share a data source definition between that feature and this one by defining the data source globally and referencing it via the <BeanManagedConnection> element.
Reference
Specific XML Attributes
Name | Type | Default | Description |
|---|
generatedAttributeID | string | ID of the connector | ID of the IdPAttribute generated |
salt
encodedSalt
saltLookupStrategyRef 4.3 | string | | When any of these are set, the initial values are generated in accordance with the ComputedId DataConnector; see that documentation for more information. |
encoding | string | BASE64 | Controls the eventual text encoding of the value, this should be set to "BASE32" for new deployments (see the warning box about case sensitivity under PersistentNameIDGenerationConfiguration) |
queryTimeout | Duration | PT5S | Timeout for the queries made against the database |
transactionRetries | integer | 3 | Number of retries if insertion fails due to database transaction bugs |
tableName 4.1 | string | shibpid | Overrides name of database table to use |
failFastInitialize | boolean | false | Whether a failure when verifying the database's availability and primary key during startup is fatal (prevents the AttributeResolver service from starting or the configuration from reloading) |
retryableErrors | space-delimited list of strings | 23000 23505 | SQLState codes to treat as retryable errors indicating a duplicate insert due to database transaction bugs |
exceptionMapRef | Bean ID | | References a Spring bean defining a map of exception overrides for altering salt or suppressing generation of IDs for users and services. See the "Sparse Overrides" section in the PersistentNameIDGenerationConfiguration topic. |
Specific XML Elements
One of the following MUST be provided:
Common XML Attributes
Name | Type | Default | Description |
|---|
id | String |
| Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover. |
activationConditionRef | Bean ID |
| Bean ID of a condition to decide whether to resolve this connector, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants |
relyingParties | Space-delimited list |
| List of entity IDs for which this connector should be resolved.
Mutually exclusive with activationConditionRef |
excludeRelyingParties | Space-delimited list |
| List of entity IDs for which this connector should not be resolved.
Mutually exclusive with activationConditionRef |
resolutionPhases | Space-delimited list |
| List of resolution phases (i.e. flows) during which this connector should be resolved.
Mutually exclusive with activationConditionRef |
excludeResolutionPhases | Space-delimited list |
| List of resolution phases (i.e. flows) during which this connector should not be resolved.
Mutually exclusive with activationConditionRef |
exportAttributes | Space-delimited list |
| List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions. In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued. |
noRetryDelay | Duration | 0 | Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted) |
propagateResolutionExceptions | Boolean | true | Whether connector/plugin failure is fatal to the entire attribute resolution process.
If this is set to false the error is logged and the data connector returns no attributes. |
Common XML Elements
Name | Cardinality | Description |
|---|
<InputAttributeDefinition> | 0 or more | This element identifies an attribute definition which is an input to this data connector |
<InputDataConnector> | 0 or more | This element identifies a data connector whose attributes are to be input to this data conector |
<FailoverDataConnector>
| 0 or 1 | This element has a single attribute ref="whatever" whose content is the identifier of a data connector to resolve if this data connector fails (for instance due to the external data source being unavailable) |
Example
<DataConnector id="StoredIDConnector" xsi:type="StoredId" generatedAttributeID="StoredId" sourceAttributeID="email">
<BeanManagedConnection>TheDataConnectorId</BeanManagedConnection>
</DataConnector>