CryptoTransientPrincipalConnector
CryptoTransient Principal Connector
Available in IdP 2.3 and later, this principal connector determines the principal associated with a name identifier by decrypting and verifying values produced by the CryptoTransientId attribute definition. If the name identifier was not generated by this attribute definition, then the resolution of the principal name will fail.
Using cryptographic transient identifiers allows multiple IdP nodes that share a symmetric key to produce and consume identifiers without sharing state. This is part of a stateless clustering solution.
Provide a DataSealer
The cryptographic settings needed for this plugin are supplied by a DataSealer, a Java bean component that you configure and then inject into the resolver.
Define the Connector
The connector is defined with the element <resolver:PrincipalConnector xsi:type="pc:CryptoTransient" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"> with the following required attributes:
- id - assigns a unique, within the resolver, identifier
- nameFormat - the name identifier format serviced by this principal connector
- dataSealerRef - identifies a DataSealer Spring-configured bean.
<resolver:PrincipalConnector id="shibCryptoTransient" xsi:type="pc:CryptoTransient"
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
dataSealerRef="shibboleth.TransientIDDataSealer"
nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
<resolver:PrincipalConnector id="saml2CryptoTransient" xsi:type="pc:CryptoTransient"
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
dataSealerRef="shibboleth.TransientIDDataSealer"
nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
Since SAML 1 and SAML 2 use two different names to refer to a transient identifier, two principal connectors may need to be defined, one with a name format of urn:mace:shibboleth:1.0:nameIdentifier and the other with a name format of urn:oasis:names:tc:SAML:2.0:nameid-format:transient as shown above