[EXT] eduPersonTargetedID
Robert Lamothe
robert_lamothe at yahoo.com
Tue May 7 13:54:42 EDT 2019
Yes, I recognize that, one of the things I find odd, is I used SAMLtest.id back in March to see how the tuple was being built and on my ID the hash is 65ouMPe2cDV5ovCHfiCzbqhHG7A. I did the same today and even though I changed my pw last week I'm getting the same hash which confuses me as to why it's not happening for me, but for others.
How do I figure out where this hash is being generated?
My resolver definition is:
<resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID">
<resolver:Dependency ref="computedID" />
<resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
<resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
In it I see sourceAttributeID as computeID, when I read the shibboleth page on Computed it refers to a number of properties all of which appear to be commented out in my saml-nameid.properties.
I could enable them, but I don't know what to use for idp.persistentId.sourceAttribute, it reads as if this should be an attribute that contains a unique number associated with each user but not GUID. I'm not sure what I could use for this that would be private information like employee ID ro something like that.
Thanks-Bob
--
Bob Lamothe
robert_lamothe at yahoo.com
KB1BOB
603-918-6336
On Tuesday, May 7, 2019, 12:57:30 PM EDT, Yeargan, Yancey <Yancey.Yeargan at untsystem.edu> wrote:
It starts with a triple tuple (one component of which comes from AD), but the tuple is then hashed with the salt value. What you're seeing as the "eptid" is the final calculated hash value.
You will need to find out how your server is generating those values. It's in the attribute resolver configuration, or possibly the NameID configuration, depending on how you are sending it to the application.
--Yancey YearganUniversity of North Texas System
On May 7, 2019, at 11:39 AM, Robert Lamothe <robert_lamothe at yahoo.com> wrote:
In our environment we are required to change our AD passwords every 6 weeks. It appears that when our users change their passwords it changes the value of eduPersonTargetedID. The SP calls it eptid and this is the data they gave us:
eptid value on 2019-03-12: nRDymCKsSIoc5pbKdmm72swbqzQ=
eptid value on 2019-05-06: w/yKZiuBopKxX6iCO1Pza3BuUbw=
Since eduPersonTargetedID is a triple tuple the above isn't the entire thing, but I'm expecting that it's just the third tuple we're seeing here and that's the part that's changing.
Regards-Bob
--
Bob Lamothe
robert_lamothe at yahoo.com
KB1BOB
603-918-6336
On Tuesday, May 7, 2019, 12:34:16 PM EDT, Ray Bon <rbon at uvic.ca> wrote:
Are we really talking about a password change being coordinated with the change of another attribute?Or is the user just updating their info (and password happens to be one of the items) and the chosen sourceAttribute is not really that persistent?
Ray
On Tue, 2019-05-07 at 16:13 +0000, Yeargan, Yancey wrote:
Take a look at the conf/saml-nameid.properties file, specifically the property "idp.persistentId.sourceAttribute". If that AD attribute changes as a result of a password change, then the value of eduPersonTargetedID will also change.
--Yancey YearganUniversity of North Texas System
On May 7, 2019, at 10:56 AM, Robert Lamothe <robert_lamothe at yahoo.com> wrote:
Howdy,
For a few months I've had an SP complaining that they need to reset the accounts of our users on a periodic basis. We've been monitoring this for some time and have identified that after one of our users is forced to change their AD password their account requires a reset.
We've further identified that when a user changes their AD password it changes their eduPersonTargetedID value. By resetting the account they clear the value set in eduPersonTargetedID and allows a new one to be set.
When I read up on this attribute I find that it's made up of a triple tuple, one of which is generated. It's also supposed to be persistent but it's persistence doesn't have to be lifetime.
Can anyone help me understand why this attribute might change after an AD password change?
Thanks-Bob
--
Bob Lamothe
robert_lamothe at yahoo.com
KB1BOB
603-918-6336
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cdad55e69bed342d399d608d6d3048bbd%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C636928413808439771&sdata=mi8rzW4b3cxphulQ%2FNyFyctb75yxMW98fIsCmHD63oM%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
Ray BonProgrammer AnalystDevelopment Services, University Systems2507218831 | CLE 019 | rbon at uvic.ca--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7CYancey.Yeargan%40untsystem.edu%7Cacc1f95d3f0b4e6a03b608d6d30a9db3%7C70de199207c6480fa318a1afcba03983%7C0%7C0%7C636928439875375185&sdata=aUn%2BHlHYlG1JHCpGc9ZgNT7ZAzmHAoYekV7ZnS30srg%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190507/9b7ad81b/attachment.html>
More information about the users
mailing list