Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Transient Name Identifier

Transient name identifiers have the following properties:

Property

Value

longevity

transient, 5 minute lifetime

transparency

opaque

scoped

no

targeted

no

revokable

yes, ID automatically revoked after 5 minutes

reusable

yes

Define the Attribute

The transient name identifier is created by the TransientId attributes definition.

The definition is defined with the element <resolver:AttributeDefinition xsi:type="TransientId" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> with the following required attribute:

  • id - assigns a unique, within the resolver, identifier that may be used to reference this definition
Transient Name Identifier Attribute Definition
<resolver:AttributeDefinition id="UNQIUE_ID" xsi:type="TransientId"
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad"/>

Encode the Attribute

The attribute definition must then be encoded as a SAML 1 NameIdentifier and SAML 2 NameID.

The SAML 1 NameIdentifier encoder is defined with the element <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"> with the following required attribute:

  • nameFormat - this attribute should have the value urn:mace:shibboleth:1.0:nameIdentifier

The SAML 2 NameID encoder is defined with the element <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"> with the following required attribute:

  • nameFormat - this attribute should have the value urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Transient Name Identifier Attribute Definition with Encoders
<resolver:AttributeDefinition id="UNQIUE_ID" xsi:type="TransientId"
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad">

    <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

    <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>

Release the Attribute

Like all attributes, once the attribute is defined it must be released to the appropriate relying party. Since transient IDs are opaque and have a very short lifetime they are safe to release to anyone. Therefore the following attribute filter policy is suggested but others may be used at the deployers discretion.

Attribute Filter Policy Releasing Transient ID to Anyone
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>
  • No labels