Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4

Aisha Al Fudhaili aisha at omren.om
Wed Sep 22 06:14:52 UTC 2021 

I want to release eduPersonTargetedID for eduroam monitor 

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: Tuesday, September 21, 2021 4:34 PM
To: users at shibboleth.net
Subject: Re: Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4

* Aisha Al Fudhaili <aisha at omren.om> [2021-09-21 13:26]:
> I'm knew to shibboleth idp. I tried to configure m but with no luck. 
> Please see my configuration

Why do you want to add the officially deprecated attribute "eduPersonTargetedID" to your IDP?

And are you aware that IDP v3 is no longer supported?

> <AttributeDefinition id="eduPersonTargetedID" xsi:type="Scoped" scope="%{idp.scope}">
>         <InputDataConnector ref="computed" attributeNames="computedId" />
>          <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
>     </AttributeDefinition>

That's incorrect in several areas:

* eduPersonTargetedID is not a "scoped" attribute
* The NameID format is not set
* The Encoder uses an incorrect attribute name

So what is it you want to generate -- eduPersonTargetedID or eduPersonUniqueId?

>     <DataConnector id="staticAttributes" xsi:type="Static">
>         <Attribute id="affiliation">
>             <Value>member</Value>
>         </Attribute>
>     </DataConnector>
> 
> <DataConnector id="computed" xsi:type="ComputedId"
>         generatedAttributeID="computedId"
>         salt="%{idp.persistentId.salt}"
>         algorithm="%{idp.persistentId.algorithm:SHA}"
>         encoding="%{idp.persistentId.encoding:BASE32}">
> 
>         <InputDataConnector ref="staticAttributes" 
> attributeNames="%{idp.persistentId.sourceAttribute}" />
> 
>     </DataConnector>

That's also incorrect: The InputDataConnector should identify the attribute that the "computed" DataConnector uses as user-specific input to its function.
By referencing the "staticAttributes" DataConnector the only possible attribute the property "idp.persistentId.sourceAttribute" could be pointing at is "affiliation". And your affiliation attribute has the same (static) value ("member") for all users of this IDP, so it is unsuitable as a basis to calculate a computedid from.
(Every user would get the same value, which makes no sense, servces no useful purpose and is not allowed by the specification.)

Best,
-peter
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list