Seitenhistorie
...
This is a globally unique identifier that syntactically looks a bit like an email address but certainly does not have to be one. (Most existing email addresses will not be suitable canditates for this attribute, due to its requirements for non-reassignment as well as opqaueness.)or an eduPersonPrincipalName.
Compared to eduPersonPrincipalName it's main differences are:
- opaque (i.e., long, ugly, "privacy preserving") values
- a strict requirement that values may never be reassigned from one subject to another
See the eduPerson specification (linked above) for details of the definition. See below for implementation considerations and how eduPersonUniqueId compares to other common SAML attributes. See the IDP 3 Attribute resolution documentation for concrete implementation examples.
eduPersonUniqueID Alternatives
...
So following Postel's law it's recommended for SAML Service Providers to (also) accept eduPersonUniqueID , whenever a stable, unique identifier is needed.
Creating the attribute with Shibboleth IDP v3
If you are already supporting persistent NameIDs you could re-use parts of that configuration to easily create eduPersonUniqueID attributes. The example below works by taking the attribute configured in /opt/shibboleth-idp/conf/saml-nameid.properties (idp.persistentId.sourceAttribute) as source data, applying the same salt as configured in /opt/shibboleth-idp/conf/saml-nameid.properties (idp.persistentId.salt), and generating an MD5 hash from the combined string:
...
| language | javascript |
|---|---|
| title | Example, re-using the definitions for persistendIds |
...
for a subject is needed.
Überblick
Inhalte
Aufgabenbericht