PersistentNameIDGenerationConfiguration: Type 4 UUID

Hugo Slavia hugoslavia101 at gmail.com
Mon Jan 29 16:09:16 EST 2018


Thanks! That clears some bits up that were keeping me up :)

So on longer term -- if we wish to leverage persistence ID (i.e. unique to
the user per IdP/SP combination) --- where available both as SAML2String
and as a SAML2NameID -- what is the best configuration option?

Ideally the value would be UUID off the bat.

The SAML2String version will be a new AttributeDefinition ID (internal to
our instituition). On another note -- eduPersonTargetedID will never be
used by us.


On Sun, Jan 28, 2018 at 4:59 AM, Peter Schober <peter.schober at univie.ac.at>
wrote:

> * Hugo Slavia <hugoslavia101 at gmail.com> [2018-01-28 05:18]:
> > On a separate note -- there appears to be some sadness over at my
> > institution that EPTI are deprecated -- what is the backstory behind
> > this?
>
> Don't worry, the attribute form of eduPersonTargetID is being
> deprecated together with what should have been its replacement in
> SAML2.0 (the NameID -- i.e., the attribute /value/ of an
> eduPersonTargetID attribute -- sent in the SAML Assertion's Subject),
> so *both* are on the way out.
> Together with eduPersonUniqueID and (possibly) eduPersonPrincipalName.
>
> See section 2.1 of the
>
>   SAML V2.0 Subject Identifier Attributes Profile
>   https://wiki.oasis-open.org/security/SAMLSubjectIDAttr
>
> Some background can also be found in this (out of date) write-up in
> the wiki:
>
>   https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID
>
> You'll note that the "botched" version (also called "broken", "a bug
> and a mistake" in that text and comments) is what the new Subject-ID
> (spec linked to above) will look like. So we've come full circle on
> this.
>
> -peter
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180129/a0d91663/attachment.html>


More information about the users mailing list