Instructions to release a persistent ePTID

Peter Schober peter.schober at
Tue Nov 26 14:30:11 EST 2019

* Koren, Meshna (ELS-AMS) <M.Koren at> [2019-11-26 11:58]:
> we're occasionally having problems with IdPs that release ePTID but
> not in a persistent format... and would release it like this, for
> example:
> <saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID">
> <saml:AttributeValue>7665xxxxxxxxxxx40dac495f7c0b2287f6f5776747</saml:AttributeValue>

That's invalid for all formats that ever were in use, even for use
with SAML 1.x as a protocol (the attribute name above is specific to
SAML 1.x) as the value would need to have a scope then, IIRC.
See the MACE-Dir SAML Attribute Profiles for details.

> Is there a wiki page that helps an IdP to configure Shibboleth to
> release a persistent eduPersonTargetedID that we can point them to?

If the IDP is Shibboleth and you as the SP are supporting both
versions (persistent NameIDs in the Subject element, persistent
NameIDs as attribute values of the ePTID attribute) there's no reason
the IDP should start configuring support for persistent NameIDs as
attribute values of the ePTID attributes now.
Instead they should configure support for proper persistent NameIDs in
the Subject element, which is even easier.

That can be as simple as setting a suitable (internal) attribute as
idp.persistentId.sourceAttribute (in conf/ and
uncommenting the line
  <ref bean="shibboleth.SAML2PersistentGenerator" />
within the list
  <util:list id="shibboleth.SAML2NameIDGenerators"
in conf/saml-nameid.xml

I do have example configs for both but why make it easier to do the
wrong thing?


More information about the users mailing list