targeted-id question

Mike Flynn shibbolethlynda at yahoo.com
Mon Feb 18 12:52:27 EST 2013 

I have a school in the UK that wants to use targeted-id as a unique ID for user access.

I have this in my config:

    <!-- A persistent id attribute that supports personalized anonymous access. -->
    
    <!-- First, the deprecated version, decoded as a scoped string: -->
    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/> -->
    </Attribute>
    
    <!-- Second, an alternate decoder that will turn the deprecated form into the newer form. -->
    <!--
    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
    </Attribute>
    -->
    
    <!-- Third, the new version (note the OID-style name): -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
    </Attribute>

    <!-- Fourth, the SAML 2.0 NameID Format: -->
    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
    </Attribute>


Once I have a session with them, I see this:

Miscellaneous Client Address: 12.52.75.130 Identity Provider: https://www.login.dumgal.ac.uk/oala/metadata SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Authentication Time: 2013-02-18T17:39:59Z Authentication Context Class: (none) Authentication Context Decl: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Session Expiration (barring inactivity): 479 minute(s) Attributes affiliation: member at schoolname.ac.uk targeted-id: C8+gfgfds9876nzl03XdybzI=@schoolname.ac.uk
So on my protected resource I then expect to see http_targeted-id in the request headers but it is not there.  
I have asked them to switch to persistent-id for this but apparentlythey have some challenge with that...
(stupid Ymail formatting...)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130218/f14f9bbb/attachment.html

More information about the users mailing list