eduPersonUniqueID
Peter Schober
peter.schober at univie.ac.at
Mon Feb 12 12:13:26 EST 2018
* Cantor, Scott <cantor.2 at osu.edu> [2018-02-12 17:16]:
> > Thanks Scott. Can I use netid? It is unique and non re-assignable. Then the
> > value of eduPersonUniqueID will be the same as eduPersonPrincipalName. Is
> > that fine?
>
> That would be a very poor choice unless you never change them.
If the source identfier is stable (as claimed above) and you've
already configured persistent NameID support in your IDP using IDPv3's
conf/saml-nameid.properties it's simple to also create a
non-SP-specific version from it as ePUID, e.g.:
https://wiki.univie.ac.at/display/federation/IDP+3+Attribute+resolution#IDP3Attributeresolution-eduPersonUniqueID
Due to the use of properties for source attribute, salt and scope that
definition should be copy/paste-able for most IDPv3 instances.
> Please read
> https://wiki.oasis-open.org/security/SAMLSubjectIDAttr. That's what
> you're signing up for and it is very clear about the requirements.
Once you have ePUID defined in your resolver (with values satisfying
both ePUID's and subject-id's requirements) it's trivial to also
release that same value as subject-id, e.g.:
<AttributeDefinition id="subjectID" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="eduPersonUniqueId">
<Dependency ref="eduPersonUniqueId" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:subject-id" friendlyName="subjectID" encodeType="false" />
</AttributeDefinition>
Of course all the caveats Scott mentioned said still apply. The above
is just an example of how to do that if your identifiers are suitable
and you're willing to create the values dynamically (but consistently).
HTH,
-peter
More information about the users
mailing list