Hi Robert,
Is it reasonable to assume that if a SP is capable of using a SAML2 NameID, they will before looking for EPTID, and if not they're probably still SAML1 only anyway?
I'm implementing our upgrade with the approach of:
Keeping storedID generated values for SAML1, using the new Bean method to do Computed NameIDs for SAML2, using the same salt, the same results are produced.
(Our reasons for using storedIDs are probably unique to us, we were using Computed IDs with Shib 1.3 with a complex JKS stored salt. This didn't sit well with Shib2 so we created a local patch to allow for base64 encoded salts to be used with a storedID with the view of dumping them all in a SQLite database and retiring the patch and using a new salt after $REASONABLE_NUM years.)
Cheers,
Andrew
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Robert Bradley
Sent: 16 February 2017 18:27
To: [log in to unmask]
Subject: Re: IdPv3 eduPersonTargetedID
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 16/02/17 17:40, Keith Carr wrote:
> My question is this:- Is there a way to produce the
> eduPersonTargetedID attribute using the new persistent
> NameIdGeneration method (rather than using the "old"
> data-connector-in-the-"attribute-resolver"-file method)? After
> all, the values held in the database are the same. So can I use
> the saml-nameid.properties and saml-nameid.xml files and link the
> resultant NameId to output as the eduPersonTargetedID attribute in
> the SAML?
>
An attribute-resolver.xml config like this should work, assuming a
plaintext salt with no unusual characters:
<resolver:AttributeDefinition
id="eduPersonTargetedID"
xsi:type="ad:SAML2NameID"
sourceAttributeID="computedId"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<resolver:Dependency ref="computedId"/>
<resolver:DisplayName xml:lang="en">Targeted ID</resolver:DisplayName>
<resolver:AttributeEncoder
xsi:type="enc:SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"/>
<resolver:AttributeEncoder
xsi:type="enc:SAML2XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
friendlyName="eduPersonTargetedID"/>
</resolver:AttributeDefinition>
<resolver:DataConnector
id="computedId"
xsi:type="dc:ComputedId"
sourceAttributeID="%{idp.persistentId.sourceAttribute}"
salt="%{idp.persistentId.salt}">
<resolver:Dependency ref="%{idp.persistentId.sourceAttribute}"/>
</resolver:DataConnector>
This would pick up the salt value from saml-nameid.properties.
- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJYpe7iAAoJEJRhp8p2r+O+UbgP/RLEaBzt+zNBGeZuGFYR4NL8
XLq7jLdRyElPkMqYvNNdxiPoCLq7s5gvo9xwlYXjPGMXecPXyBD2hvrM0Ze7tl5E
ICqXIgYfJFK1UGgz3kw1RywxR2j/AAjz33PMTV8H7hEOL2vhWaQ23IJEG7PwvOPk
nJ+or/qnp3x8T6r9sfqYN0h6YsKVU9HZ7iS3wFoFaza5F6XfHZrzBar8oDxYu1k+
4ZJPIzViQmv7ejwU6MNRdDMimgKHEiFQDuEZdCEfI1wM2QdZ/uz8d60rvWS89DC8
oqMBts9vCgUyxF0Y+dqsye1DXvwi6PL728n6eyElKprRYeZGw7+iUOPBYm+8TAVO
hQX96za+jioziknSt3SibMQ9Wnuh9hwp4/uoYj5xNBdcL5g6byarLGELBcieZhXv
RnsnUrobJo3CDfcIU1RRuf8yMPbuHxszzp0i15kAxQpWJfjnFqHluf+iLE1akw0n
R8yLl7nkfxkAs+ow+4cbXphNQiDbzGdZPZo0v0HB1DQv0s4tU3/qWLXABzZ0eXvm
5ClvYV92vY0apR45YDf89Y1j1ZYi4DRB4CUo9tqEyQ3TyucH31rlxYcHy11jYa2/
BdVcMCFA87Vr8osB+m+ty9u+WcCFjMV10dThPHp00fPbz7lLcywqaOwWk2pgwl1n
12BqgNU8d1vNT7iyq0bM
=KHB2
-----END PGP SIGNATURE-----
--------------------------------------------------------------------
Un o’r 4 prifysgol uchaf yn y DU a’r orau yng Nghymru am fodlonrwydd myfyrwyr.
(Arolwg Cenedlaethol y Myfyrwyr 2016)
www.aber.ac.uk
Top 4 UK university and best in Wales for student satisfaction
(National Student Survey 2016)
www.aber.ac.uk
|