* Jon Warbrick <[log in to unmask]> [2011-03-11 10:13]:
> The new form is close to unusable for display purposes:
>
> https://shib-test.raven.cam.ac.uk/shibboleth!https://mnementh.csi.cam.ac.uk/shibboleth/ucam!rUL8A3M667VfsiCImQVFffN9cNk=.
This also creates other problems, such as exposing limits in
applications or their databases, e.g. some commonly used ExLibris
library software has a CHAR(40) limit on the column for user
identifiers.
At least for these cases the Shibboleth SP has a feature to hash the
IdP!SP!user-tripplet on the fly before exporting it to the webserver's
environment, effectively shortening it to 32 (md5) or 40 (sha1)
characters. Cf. "hashAlg" in
https://spaces.internet2.edu/display/SHIB2/NativeSPAttributeDecoder
While this makes incident handling a bit more difficult (you can't
just ask the IdP admin for a given eduPersonTargetedId/SAML2 NameID,
they'd have to hash all the IDs for that particilar SP together to
find the matching one) the need for this will hopefully occur very
seldom, not causing any practical difference.
Not sure 32 random characters make for a much better display name,
though :(
cheers,
-peter
|