Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4

Aisha Al Fudhaili aisha at
Wed Sep 22 16:17:25 UTC 2021 file
# Properties involving SAML NameIdentifier/NameID generation/consumption

# For the most part these settings only deal with "transient" and "persistent"
# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
# settings

# Comment out to enable legacy NameID generation via Attribute Resolver
#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator

# Default NameID Formats to use when nothing else is called for.
# Don't change these just to change the Format used for a single SP!
#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier

# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator

# Persistent IDs can be computed on the fly with a hash, or managed in a database

# For computed IDs, set a source attribute and a secret salt:
idp.persistentId.sourceAttribute = uid
idp.persistentId.useUnfilteredAttributes = true
# Do *NOT* share the salt with other people, it's like divulging your private key.
idp.persistentId.algorithm = SHA
idp.persistentId.salt = #my secret salt
# BASE64 will match V2 values, we recommend BASE32 encoding for new installs.
idp.persistentId.encoding = BASE32


  <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />
        <!-- Uncommenting this bean requires configuration in -->
      <ref bean="shibboleth.SAML2PersistentGenerator" /> 

     <!--   <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'mail'} }" /> -->

    <!-- SAML 1 NameIdentifier Generation -->
    <util:list id="shibboleth.SAML1NameIdentifierGenerators">

        <ref bean="shibboleth.SAML1TransientGenerator" />

        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'mail'} }" />

-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Wednesday, September 22, 2021 5:13 PM
To: Shib Users <users at>
Subject: Re: Cunfigure eduPersonTargetedID shibboleth Idp windows 3.4

* Aisha Al Fudhaili <aisha at> [2021-09-22 13:40]:
> I made the changes but still I got errors. I'm not fully understand 
> how to configure data connector.  Could you please show me example.

> <AttributeDefinition xsi:type="Scoped" id="samlPairwiseID" scope="%{idp.scope}">
>         <InputDataConnector ref="computed" attributeNames="computedId"/>
>         <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oasis:names:tc:SAML:attribute:pairwise-id" friendlyName="pairwise-id" encodeType="false" />
>     </AttributeDefinition>

That looks fine for an IDPv3.

> <DataConnector id="computed" xsi:type="ComputedId"
>         generatedAttributeID="computedId"
>         salt="%{idp.persistentId.salt}"
>         algorithm="%{idp.persistentId.algorithm:SHA}"
>         encoding="%{idp.persistentId.encoding:BASE32}">
>         <InputDataConnector ref="myLDAP" 
> attributeNames="%{idp.persistentId.sourceAttribute}" />
>     </DataConnector>

We need some more info from your conf/

And what is the proerty idp.persistentId.sourceAttribute set to?
(And does the attribute exist in your LDAP directory?)

And did you set a (secret, so DO NOT POST IT HERE!) value for the idp.persistentId.salt property? Just make sure this has some value (and not the "changethistosomethingrandom" one).

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list