Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Transient Name Identifier

Transient name identifiers have the following properties:

Property

Value

longevity

transient, 5 minute lifetime

transparency

opaque

scoped

no

targeted

no

revokable

yes, ID automatically revoked after 5 minutes

reusable

yes

Define the Attribute

Transient name identifier attributes are created in two steps:

  1. Create a transient ID attribute definition that creates the transient ID value.
  2. Attach SAML 1 Name Identifier and SAML 2 NameID attribute encoder to the attribute.
Transient Name Identifier Attribute Definition
<resolver:AttributeDefinition id="transientId" xsi:type="TransientId"
                              xmlns="urn:mace:shibboleth:2.0:resolver:ad">

    <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />

    <resolver:AttributeEncoder xsi:type="SAML2StringNameID"
                               xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                               nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</resolver:AttributeDefinition>

The name format for a transient ID in SAML 1 is urn:mace:shibboleth:1.0:nameIdentifier and in SAML 2 is urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Release the Attribute

Finally, define an attribute filter policy that releases the transient ID to the intended relying parties. Since transient IDs are opaque, and thus not personally identifiable, they are safe to release to anyone. Therefore the following attribute filter policy is suggested but others may be used at the deployer's discretion.

Attribute Filter Policy Releasing Transient ID to Anyone
<AttributeFilterPolicy id="releaseTransientIdToAnyone">

    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>
  • No labels