Instructions to release a persistent ePTID

Koren, Meshna (ELS-AMS) M.Koren at elsevier.com
Wed Nov 27 08:20:18 EST 2019 

Thanks Peter!

"...configure support for proper persistent NameIDs in the Subject element, which is even easier."
I did not know it's easier. Knowing that makes it much much easier for us to ask the IdPs to do it.
Our devs suggested something similar... but coming from us it sounded a bit selfish :)

"I do have example configs for both but why make it easier to do the wrong thing?"
+1


Kind regards,
Meshna


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: Tuesday, November 26, 2019 20:30
To: users at shibboleth.net
Subject: Re: Instructions to release a persistent ePTID

*** External email: use caution ***



* Koren, Meshna (ELS-AMS) <M.Koren at elsevier.com> [2019-11-26 11:58]:
> we're occasionally having problems with IdPs that release ePTID but
> not in a persistent format... and would release it like this, for
> example:
>
> <saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID">
> <saml:AttributeValue>7665xxxxxxxxxxx40dac495f7c0b2287f6f5776747</saml:
> AttributeValue>

That's invalid for all formats that ever were in use, even for use with SAML 1.x as a protocol (the attribute name above is specific to SAML 1.x) as the value would need to have a scope then, IIRC.
See the MACE-Dir SAML Attribute Profiles for details.
http://macedir.org/docs/internet2-mace-dir-saml-attributes-200804a.pdf

> Is there a wiki page that helps an IdP to configure Shibboleth to
> release a persistent eduPersonTargetedID that we can point them to?

If the IDP is Shibboleth and you as the SP are supporting both versions (persistent NameIDs in the Subject element, persistent NameIDs as attribute values of the ePTID attribute) there's no reason the IDP should start configuring support for persistent NameIDs as attribute values of the ePTID attributes now.
Instead they should configure support for proper persistent NameIDs in the Subject element, which is even easier.

That can be as simple as setting a suitable (internal) attribute as idp.persistentId.sourceAttribute (in conf/saml-nameid.properties) and uncommenting the line
  <ref bean="shibboleth.SAML2PersistentGenerator" /> within the list
  <util:list id="shibboleth.SAML2NameIDGenerators"
in conf/saml-nameid.xml

I do have example configs for both but why make it easier to do the wrong thing?

Best,
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________

Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.

More information about the users mailing list