saml-nameid.xml: can we default opaque and override for specific SPs

Paul Fardy paul.fardy at
Tue Dec 11 17:38:46 EST 2018

I've enabled bean="shibboleth.SAML2PersistentGenerator" in saml-nameid.xml and I now have opaque IDs for all SPs configured for persistent IDs.

We've been using clear persistent NameIDs for a few SPs and transient NamedIDs for most SPs. We want to release an opaque persistent NameID. But I've broken the clear NameIDs.

... oh, it seems order in saml-nameid.xml fixes it. If shibboleth.SAML2PersistentGenerator precedes shibboleth.SAML2AttributeSourcedGenerator, then AttributeSourced isn't executed. Is that correct? Is that documented?

Presumably, order is significant in saml-nameid.xml:
> p:attributeSourceIds="#{{'attributeAsNameID1', 'attributeAsNameID2', ... }}" />

And I think attribute-release.xml would best have only one NameID attribute released for any given SP entityID.

If I release one (or more) attributeAsNameID attributes to an SP, that clear attribute will supersede the opaque identifier, *if* it AttributeSourcedGen precedes PesistentGen. Correct?

Paul Fardy, Shib Admin, Info Security, ITS
University of Toronto

In attribute-resolver.xml:
>   <resolver:AttributeDefinition id="attributeAsNameID" xsi:type="Simple" sourceAttributeID="attribute">
>     <resolver:Dependency ref="directory" />
>     <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
>   </resolver:AttributeDefinition>

[I'm not releasing the source attribute for the opaque ID's attributeAsNameID, so no attribute-filter.xml clip. I think that's okay.]

In a saml-nameid.xml that I believe this config always releases opaque NameIDs:
>  <util:list id="shibboleth.SAML2NameIDGenerators">
>    <ref bean="shibboleth.SAML2TransientGenerator" />
>    <!-- Uncommenting this bean requires configuration in -->
>    <ref bean="shibboleth.SAML2PersistentGenerator" />
>    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>        p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>        p:attributeSourceIds="#{ {'attribute1', 'attribute2', ... } }" />
>  </util:list>

In relying-party.xml
> <bean id="rp-persistentId" parent="RelyingPartyByName" c:relyingPartyIds="#{{
>     'entityID1',
>     'entityID2',
>     ...
>     }}">
>    <property name="profileConfigurations">
>      <list>
>        <bean parent="SAML2.SSO"
>          ...
>          p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>          ...>
>      ...

More information about the users mailing list