Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4
Aisha Al Fudhaili
aisha at omren.om
Wed Sep 22 16:17:25 UTC 2021
saml-nameid.properties file
# Properties involving SAML NameIdentifier/NameID generation/consumption
# For the most part these settings only deal with "transient" and "persistent"
# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
# settings
# Comment out to enable legacy NameID generation via Attribute Resolver
#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator
# Default NameID Formats to use when nothing else is called for.
# Don't change these just to change the Format used for a single SP!
#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator
# Persistent IDs can be computed on the fly with a hash, or managed in a database
# For computed IDs, set a source attribute and a secret salt:
idp.persistentId.sourceAttribute = uid
idp.persistentId.useUnfilteredAttributes = true
# Do *NOT* share the salt with other people, it's like divulging your private key.
idp.persistentId.algorithm = SHA
idp.persistentId.salt = #my secret salt
# BASE64 will match V2 values, we recommend BASE32 encoding for new installs.
idp.persistentId.encoding = BASE32
saml-nameid.XML
<!-- SAML 2 NameID Generation -->
<util:list id="shibboleth.SAML2NameIDGenerators">
<ref bean="shibboleth.SAML2TransientGenerator" />
<!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
<ref bean="shibboleth.SAML2PersistentGenerator" />
<!-- <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" /> -->
</util:list>
<!-- SAML 1 NameIdentifier Generation -->
<util:list id="shibboleth.SAML1NameIdentifierGenerators">
<ref bean="shibboleth.SAML1TransientGenerator" />
<!--
<bean parent="shibboleth.SAML1AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
</util:list>
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: Wednesday, September 22, 2021 5:13 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4
* Aisha Al Fudhaili <aisha at omren.om> [2021-09-22 13:40]:
> I made the changes but still I got errors. I'm not fully understand
> how to configure data connector. Could you please show me example.
> <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
> <InputDataConnector ref="computed" attributeNames="computedId"/>
> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
> </AttributeDefinition>
That looks fine for an IDPv3.
> <DataConnector id="computed" xsi:type="ComputedId"
> generatedAttributeID="computedId"
> salt="%{idp.persistentId.salt}"
> algorithm="%{idp.persistentId.algorithm:SHA}"
> encoding="%{idp.persistentId.encoding:BASE32}">
>
> <InputDataConnector ref="myLDAP"
> attributeNames="%{idp.persistentId.sourceAttribute}" />
>
> </DataConnector>
We need some more info from your conf/saml-nameid.properties:
And what is the proerty idp.persistentId.sourceAttribute set to?
(And does the attribute exist in your LDAP directory?)
And did you set a (secret, so DO NOT POST IT HERE!) value for the idp.persistentId.salt property? Just make sure this has some value (and not the "changethistosomethingrandom" one).
Best,
-peter
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list