ePTID and ComputedId Persistence After IdP 3.3 -> 3.4 Upgrade

Sheldon, Nathan I Nathan.Sheldon at ucsf.edu
Mon Feb 3 14:25:06 EST 2020 

Hi everyone.

I’m preparing to upgrade our IdP 3.3.1 to 3.4.6.  We have 6 different SPs that use the eduPersonTargetedID attribute to identify users.  The ePTID is defined in attribute-resolver.xml as using a ComputedId attribute as the source.
——
    <AttributeDefinition id="eduPersonTargetedID"
        xsi:type="SAML2NameID"
        sourceAttributeID=“computedID" >
        <Dependency ref="computedID" />
        <AttributeEncoder xsi:type="SAML1XMLObject"
            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
        <AttributeEncoder xsi:type="SAML2XMLObject"
            name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="computedID" />
    </AttributeDefinition>
——
The ComputedId data connector is defined as using our employee ID attribute, “ucsfeduidnumber”, as a sourceAttributeID.
——
    <DataConnector xsi:type="ComputedId"
        id="computedID"
        generatedAttributeID="computedID"
        sourceAttributeID="ucsfeduidnumber"
        salt=“(salt string omitted for privacy)">
        <Dependency ref="myLDAP" />
    </DataConnector>
——
The documentation for the ComputedIdConnector at https://wiki.shibboleth.net/confluence/display/IDP30/ComputedIdConnector indicates that, as of version 3.4, the sourceAttriubteID data connector attribute has been deprecated.

How do I maintain existing ePTID values for users after the 3.4 upgrade so there is no interruption in service with the 6 SPs that rely on ePTID?

The saml-nameid.properties file currently has no properties defined (they’re all commented out).  If I were to add "idp.persistentId.sourceAttribute = ucsfeduidnumber" to the properties, what value would I need to specify for the “idp.persistentId.useUnfilteredAttributes” and “idp.persistentId.algorithm” properties to prevent the ePTID from changing?  Also, would switching to using the properties instead of the data connector defined sourceAttributeID change the behavior of the data sent by the shibboleth.SAML2AttributeSourcedGenerator, for which we have a number of attributeSourceIds defined in the saml-nameid.xml file?

Thanks.
----
Nathan Sheldon
Systems Integration Engineer
    Identity and Access Management,
    Information Technology Services
University of California, San Francisco






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200203/b55e7ec0/attachment.html>

More information about the users mailing list