Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: complete persistent NameID support

...

The SAML SubjectID can be seen as an opaque (i.e., not name-based, long "ugly" values), more stable version of eduPersonPrincipalName. It is intended as a replacement for the eduPersonUniqueID attribute, possibly also for eduPersonPrincipalName. The example provided below re-uses configuration already made to support persistent NameIDs, namely the settings idp.persistentId.sourceAttribute and idp.persistentId.salt from the file /opt/shibboleth-idp/conf/saml-nameid.properties. (To complete the minimal set up required for persistent NameIDs also uncomment the shibboleth.SAML2PersistentGenerator  bean in/around line 38 of /opt/shibboleth-idp/conf/saml-nameid.xml. Only needed if you want/need to support persistent NameIDs, though, which are still used with some services but de facto are deprecated.)

Provided you already have a stable, non-recycled (not reassigned from one subject to another) internal identifier for your subjects you can set that attribute in the idp.persistentId.sourceAttribute property of the referenced config file, and it will also be used as the basis for the SubjectID attribute. The configuration below also re-uses the salt configured in the property idp.persistentId.salt to generate a salted hash of the chosen source attribute as (local part of the) SubjectID attribute value:

...

The SAML PairwiseID is an opaque, persistent, service-specific pseudonym. It is intended as a replacement for the eduPersonTargetedID attribute as well as for standard SAML 2.0 persistent NameIDs. The example provided below re-uses configuration already made to support persistent NameIDs, namely the settings idp.persistentId.sourceAttribute and idp.persistentId.salt from the file /opt/shibboleth-idp/conf/saml-nameid.properties. (To complete the minimal set up required for persistent NameIDs also uncomment the shibboleth.SAML2PersistentGenerator  bean in/around line 38 of /opt/shibboleth-idp/conf/saml-nameid.xml. Only needed if you want/need to support persistent NameIDs, though, which are still used with some services but de facto are deprecated.)

Code Block
languagexml
titlePairwiseID, re-using the definitions for persistendIds
<AttributeDefinition id="pairwise-id" xsi:type="Scoped" scope="%{idp.scope}">
    <InputDataConnector ref="computed" attributeNames="ComputedID" />
    <DisplayName xml:lang="de">Service-spezifische Benutzerkennung</DisplayName>
    <DisplayName xml:lang="en">Service-specific pseudonym</DisplayName>
    <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
</AttributeDefinition>

...

Tip

If you're supporting use of your Shibboleth IDP to access USI Wien services check out another variant to create eduPersonEntitlement values that specifically includes code for use with the USI Wien Service Provider.

...


schacHomeOrganization

schacHomeOrganization is sometimes needed by services, usually as an IDP- and entityID-independent identifier for an organization, e.g. to map subjects from an IDP to a contract in the name of the organisation that runs the IDP (without having to hard-code the IDP's entityID into some configurationn file or database). The following will work for anyone, based on the data connector provided below (that's also generic, thanks to its use of Java properties):

...