Computed ID Data Connector
In deployments that can accomodate the use of a database, the stored ID data connector is strongly recommended as an alternative to this connector because of the additional deployment flexibility it offers to change, revoke, and reverse-map the identifiers.
Deployers should be aware that the computed ID data connector cannot be used to generate SAML name identifiers in conjunction with profiles that require reverse-mapping the identifier back into a user identity. This mainly involves attribute queries (typically for legacy Shibboleth 1.x SPs).
This connector is used to create a unique identifier by computing the SHA-1 hash of the attribute requester's entity ID, a value of a given attribute, and a salt. These IDs are normally used as user identifiers because of their properties:
- each requester receives a unique, opaque, identifier preventing multiple requesters from performing any correlation attacks
- each requester always get the same ID so they may associate user preferences with the ID
The IDs generated by this connector are compatible with those created by the Shibboleth 1 persistent ID and SAML2 persistent ID attribute definitions.
1. Define the Connector
To define a new computed ID data connector, create a
<DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> element with the following attributes:
- id - a unique identifier for the data connector
- sourceAttributeID - the ID of an attribute, provided by a dependency, whose first value will be used within the computed ID hash
- salt - a string of random data; must be at least 16 characters, 48 characters is recommended
The connector also supports the following, optional, attribute:
- generatedAttributeID - the ID of the attribute created by the data connector, the default value is "computedId"
It is recommended that the attribute given by
sourceAttributeID be a non-reassigned value, unique to each user. Usage of such a value effectively eliminates problems that may occur if a value is reassigned and a service provider has not cleaned out state from the previous owner of that ID. Many uses of this data require that the resulting value have a non-reassignment property.
2. Define Dependencies
This data connector requires exactly one dependency, which provides the attribute identified by the sourceAttributeID attribute.
Dependencies are expressed by the
<resolver:Dependency> with a
ref attribute whose value is the unique ID of the attribute definition or the data connector that this connector depends on.