Page tree
Skip to end of metadata
Go to start of metadata

Computed ID Data Connector

In deployments that can accomodate the use of a database, the stored ID data connector is strongly recommended as an alternative to this connector because of the additional deployment flexibility it offers to change, revoke, and reverse-map the identifiers.

Deployers should be aware that the computed ID data connector cannot be used to generate SAML name identifiers in conjunction with profiles that require reverse-mapping the identifier back into a user identity. This mainly involves attribute queries (typically for legacy Shibboleth 1.x SPs).

This connector is used to create a unique identifier by computing the SHA-1 hash of the attribute requester's entity ID, a value of a given attribute, and a salt. These IDs are normally used as user identifiers because of their properties:

  • each requester receives a unique, opaque, identifier preventing multiple requesters from performing any correlation attacks
  • each requester always get the same ID so they may associate user preferences with the ID

The IDs generated by this connector are compatible with those created by the Shibboleth 1 persistent ID and SAML2 persistent ID attribute definitions.

1. Define the Connector

To define a new computed ID data connector, create a <DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> element with the following attributes:

  • id - a unique identifier for the data connector
  • sourceAttributeID - the ID of an attribute, provided by a dependency, whose first value will be used within the computed ID hash
  • salt - a string of random data; must be at least 16 characters, 48 characters is recommended

The connector also supports the following, optional, attribute:

  • generatedAttributeID - the ID of the attribute created by the data connector, the default value is "computedId"

It is recommended that the attribute given by sourceAttributeID be a non-reassigned value, unique to each user. Usage of such a value effectively eliminates problems that may occur if a value is reassigned and a service provider has not cleaned out state from the previous owner of that ID. Many uses of this data require that the resulting value have a non-reassignment property.

2. Define Dependencies

This data connector requires exactly one dependency, which provides the attribute identified by the sourceAttributeID attribute.

Dependencies are expressed by the <resolver:Dependency> with a ref attribute whose value is the unique ID of the attribute definition or the data connector that this connector depends on.

Example ComputedID Data Connector
<resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"

     <resolver:Dependency ref="DEFINITION_ID_1" />