'RE: Instructions to release a persistent ePTID'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: Instructions to release a persistent ePTID
From:       "Koren, Meshna (ELS-AMS)" <M.Koren () elsevier ! com>
Date:       2019-11-27 13:20:18
Message-ID: BYAPR08MB6054B92E5923D9D68FED24B59C440 () BYAPR08MB6054 ! namprd08 ! prod ! outlook ! com
[Download RAW message or body]

Thanks Peter!

"...configure support for proper persistent NameIDs in the Subject element, which is \
even easier." I did not know it's easier. Knowing that makes it much much easier for \
us to ask the IdPs to do it. Our devs suggested something similar... but coming from \
us it sounded a bit selfish :)

"I do have example configs for both but why make it easier to do the wrong thing?"
+1


Kind regards,
Meshna


-----Original Message-----
From: users <users-bounces@shibboleth.net> On Behalf Of Peter Schober
Sent: Tuesday, November 26, 2019 20:30
To: users@shibboleth.net
Subject: Re: Instructions to release a persistent ePTID

*** External email: use caution ***



* Koren, Meshna (ELS-AMS) <M.Koren@elsevier.com> [2019-11-26 11:58]:
> we're occasionally having problems with IdPs that release ePTID but
> not in a persistent format... and would release it like this, for
> example:
> 
> <saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID">
> <saml:AttributeValue>7665xxxxxxxxxxx40dac495f7c0b2287f6f5776747</saml:
> AttributeValue>

That's invalid for all formats that ever were in use, even for use with SAML 1.x as a \
protocol (the attribute name above is specific to SAML 1.x) as the value would need \
to have a scope then, IIRC. See the MACE-Dir SAML Attribute Profiles for details.
http://macedir.org/docs/internet2-mace-dir-saml-attributes-200804a.pdf

> Is there a wiki page that helps an IdP to configure Shibboleth to
> release a persistent eduPersonTargetedID that we can point them to?

If the IDP is Shibboleth and you as the SP are supporting both versions (persistent \
NameIDs in the Subject element, persistent NameIDs as attribute values of the ePTID \
attribute) there's no reason the IDP should start configuring support for persistent \
NameIDs as attribute values of the ePTID attributes now. Instead they should \
configure support for proper persistent NameIDs in the Subject element, which is even \
easier.

That can be as simple as setting a suitable (internal) attribute as \
idp.persistentId.sourceAttribute (in conf/saml-nameid.properties) and uncommenting \
the line  <ref bean="shibboleth.SAML2PersistentGenerator" /> within the list
  <util:list id="shibboleth.SAML2NameIDGenerators"
in conf/saml-nameid.xml

I do have example configs for both but why make it easier to do the wrong thing?

Best,
-peter
--
For Consortium Member technical support, see \
https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net

________________________________

Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, \
                Registration No. 33156677, Registered in The Netherlands.
-- 
For Consortium Member technical support, see \
https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic