Andy Swiffin wrote:
> 3) EPTID salt. What kind of thing do you use for the salt in
> PersistentIDAttributeDefinition. Do you use that, I notice that the
> documentation for it has vanished from the wiki? Or do you use
> SAML2PersistentIDAttributeDefinition instead and deliver EPTID using
> that, I notice that the output it generates is very different, is it
> compatible?
You can generate a salt by doing something like this on Linux:
dd if=/dev/random bs=1 count=16 | od -t x4
Then just glue the blobs of hex together and put it into the
configuration file. I understand the IdP Ant script has the option to
generate a random salt in a Java keystore, but I'm personally allergic
to those.
As to the difference between Persistent... and SAML2Persistent..., these
generate the same *values*, but *encode* them differently. The current
UK federation recommendation is for people to generate (and, for an SP,
use) the former, although the comments in the configuration file talk
about it as "deprecated". This is for backwards compatibility with
earlier versions of Shibboleth, and with some non-Shibboleth products.
In the longer term, we'll probably want to recommend a transition to the
newer encoding as it will be more compatible with future products.
-- Ian
|