Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4

Peter Schober peter.schober at univie.ac.at
Tue Sep 21 12:33:48 UTC 2021 

* Aisha Al Fudhaili <aisha at omren.om> [2021-09-21 13:26]:
> I'm knew to shibboleth idp. I tried to configure m but with no
> luck. Please see my configuration

Why do you want to add the officially deprecated attribute
"eduPersonTargetedID" to your IDP?

And are you aware that IDP v3 is no longer supported?

> <AttributeDefinition id="eduPersonTargetedID" xsi:type="Scoped" scope="%{idp.scope}">
>         <InputDataConnector ref="computed" attributeNames="computedId" />
>          <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
>     </AttributeDefinition>

That's incorrect in several areas:

* eduPersonTargetedID is not a "scoped" attribute
* The NameID format is not set
* The Encoder uses an incorrect attribute name

So what is it you want to generate -- eduPersonTargetedID or eduPersonUniqueId?

>     <DataConnector id="staticAttributes" xsi:type="Static">
>         <Attribute id="affiliation">
>             <Value>member</Value>
>         </Attribute>
>     </DataConnector>
> 
> <DataConnector id="computed" xsi:type="ComputedId"
>         generatedAttributeID="computedId"
>         salt="%{idp.persistentId.salt}"
>         algorithm="%{idp.persistentId.algorithm:SHA}"
>         encoding="%{idp.persistentId.encoding:BASE32}">
> 
>         <InputDataConnector ref="staticAttributes" attributeNames="%{idp.persistentId.sourceAttribute}" />
> 
>     </DataConnector>

That's also incorrect: The InputDataConnector should identify the
attribute that the "computed" DataConnector uses as user-specific
input to its function.
By referencing the "staticAttributes" DataConnector the only possible
attribute the property "idp.persistentId.sourceAttribute" could be
pointing at is "affiliation". And your affiliation attribute has the
same (static) value ("member") for all users of this IDP, so it is
unsuitable as a basis to calculate a computedid from.
(Every user would get the same value, which makes no sense, servces no
useful purpose and is not allowed by the specification.)

Best,
-peter

More information about the users mailing list