Child pages
  • SAML2PersistentIDAttributeDefinition

The Shibboleth 1.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

Configuring a SAML 2 Persistent ID Attribute Definition

This plugin provides a very basic implementation of SAML 2.0 persistent identifiers. It creates these by hashing the user's principal ID, service provider ID, and a salt. This provides an opaque identifier, unique to each principal/service provider tuple.

Attribute Definition Basics

All attribute definitions are configured in the IdP's resolver.xml file.

Basic Attributes

Each attribute definition supports the following basic XML attributes in their definition:

  • id - (required) used by the definition to determine its source, or input, attribute and by other definitions and data connectors to refer to this definition
  • sourceName - (optional) used to explicitly specify the name of the source, or input, attribute used by the definition

Source Attributes

Most attribute definitions transform other attributes. A definition will determine the name of its source attribute in the following way:

  1. If sourceName is present use an attribute whose name exactly matches the given source name
  2. Use an attribute whose name exactly matches the definitions id
  3. Use an attribute whose name exactly matches the last token of the definitions id split on / or :

Configuring the Definition

  1. Create a SAML2PersistentID element with its id attribute and the following attribute:
    • sourceName - the name of the attribute
  2. Create a Salt element, child of SAML2PersistentID, whose content is a 16 or more character secret. You may wish to place this data in a CDATA section to ensure this string does not interfere with the XML processing.

Example Configuration

<SAML2PersistentID id="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" sourceName="guid">
	 <DataConnectorDependency requires="directory"/>
	 <Salt><![CDATA[f83(k4K*397ke.2d9vD8214+-]]></Salt>
</SAML2PersistentID>

Advanced Configuration

You may also use an existing secret key, stored in a Java keystore, as the salt. To do this remove the content of the Salt element and add the following attributes:

  • keyStorePath - the full path to the java keystore file
  • keyStorePassword - the password of the key store
  • keyStoreKeyAlias - the alias/name of the secret key in the key store
  • keyStoreKeyPassword - the password used to decrypt the secret key
  • No labels