Storing persistentId using an HTTP DataConnector

Nate Klingenstein ndk at signet.id
Tue Nov 8 15:44:33 UTC 2022 

SPF,

https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631671/NameIDGenerationConfiguration#%5BinlineExtension%5DFormat-Selection

Take care,
Nate

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

-----Original message-----
From: spf via users
Sent: Tuesday, November 8 2022, 8:30 am
To: users at shibboleth.net
Cc: spfma.tech at e.mail.fr
Subject: ~Re: Storing persistentId using an HTTP DataConnector

Hi,

Thank you for your answer.

So for now I will use the ComputeId way and we will see ...

I have enabled the persistent NameID generation in "saml-nameid" and reused the deprecated syntax to have the generated NameID as "eduPersonTargetedID", and also a scoped version as "pairwise-id".

<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<InputDataConnector ref="computed" attributeNames="computedId"/>
<AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</AttributeDefinition>

The only thing I can't undersand for now is how to have a persistent NameID in the SAML assertions. If the SAML2PersistentGenerator only is enabled, there is even no subject. But if SAML2TransientGenerator or both are enabled, I have a "<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" ...".

Here I found useful informations : https://www-public.imtbs-tsp.eu/~procacci/dok/doku.php?id=docpublic:systemes:persistentnameid <https://www-public.imtbs-tsp.eu/~procacci/dok/doku.php?id=docpublic:systemes:persistentnameid> and the subject contains a persistent NameID.

Is there something else to configure or is is only depending on the SP's request ?

And thanks for reminding me to check raw SAML stuff in your other reply, and not only aacli text output !

Regards

Le 04-Nov-2022 15:19:42 +0100, users at shibboleth.net a écrit:

* spf via users <users at shibboleth.net <mailto:users at shibboleth.net>> [2022-11-04 14:37]:
> As I was asked to provide high availability too, I need to use some
> kind of clustered database. Then I had the idea to try something
> else than MariaDB, say Rqlite we recently heard good things about
> from our devs. But no JDBC driver is provided, so I was trying to
> figure out if I could use another kind of DataSource.

I suspected rqlite was the reason for that question. ;)
While there's some basic Java code unfortunately noone has contributed
JDBC support yet, https://github.com/rqlite/rqlite-java/issues/15 <https://github.com/rqlite/rqlite-java/issues/15>

> As far I can see, some mechansime was setup to provide an
> "eduPersonTargetedID" attribute as persistentID, but I have no clues
> about any NameID.

A NameID of format "persistent" (section 8.3.7 in SAML Core, PDF p.86,
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf <https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf>)
is what the (deprecated, see
https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-ChangeLog <https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-ChangeLog>)
eduPersonTargetedID attribute requires for its value.

Some SPs will be able to make use of "proper" persistent NameIDs,
i.e. those sent in the Subject element of the SAML Assertion (the
standard place since SAML 2.0 came out in 2005 CE) instead of as
attribute values of the eduPersonTargetedID attribute.
You'd configure support for those using conf/saml-nameid.properties
and conf/saml-nameid.xml

> If I understand good, given a certain peer entity and a principal
> name, the algorithm behind ComputedIDs will always provide the same
> computed id if the salt is the same ?

Yes. Though it's function is more clearly described by focussing on
the fact that for the same principal (and salt) the values will differ
for each peer entity. ;)

> So maybe I have no need for a database stored persistentId ?

That certainly works and many are using it that way. The only thing
you lose without a database is the ability to make "changes", e.g.:
Computed value xyz123 was a some point issued for subject A but
subject A is now identified by a different principal name B. Using a
database you could map previously asserted (output) values to a
different input value. I.e., even though the userid for the subject
changed the resulting NameID does not.
Or you could "expire" previously asserted values so that if the same
principal name comes along now a different/new value would be
generated, e.g. when the (input) principal name was recycled is now
being used by a different subject/person. You'd need to make sure then
that the same input still produces a different output, as SAML core
mandates that "A given value, once associated with a principal, MUST
NOT be assigned to a different principal at any time in the future.")

Whether you actually *need* to support these use cases (re-mapping or
disabling of previously generated values) only you can know.
If you don't, well, you still need to decide whether or not you will
support thise going forward or not.

> The support team of one of the federations we are linked to told me
> about two attributes which could be relevant in the future and I
> added the configuration for them

Sure, those are the immediate (you can start using them right now) to
long-term (i.e., some services will take years to move over or will
never do) replacement for persistent NameIDs, eduPersonTargetedID,
eduPersonUniqueID and also (to some degree) eduPersonPrincipalName.

Also note that both SubjectID and PairwiseID come with the same
non-reassignment requirement as persistent NameIDs (see quote above).
So if you're re-assigning "uid" (which you seem to be using as basis
for SubjectID) you already have no database to "fix" algorithmmic
mappings from (uid) input to (SubjectID) output value.
Probably that means you won't need one for persistent NameIDs /
eduPersonTargetedIDs, either!

> Is it also possible to generate "eduPersonTargetedID" the same way
> (reusing the computed id) but with the same format as before, as a
> "EntityID!hPeerID!PersistentID" string ? I think this is what you
> call putting a NameID in an AttributeValue. Maybe it will not be
> useful in the future, but as some SPs I have seen in the federation
> require it, better provide it.

Sure, e.g.:

<!-- Deprecated persistent NameID wrapped in a deprecated SAML Attribute value -->
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<InputDataConnector ref="computed" attributeNames="computedId" />
</AttributeDefinition>

If you add this you'll also note the following warning in your logs:

WARN [DEPRECATED:125] - xsi:type 'SAML2NameID', (file
[/opt/shibboleth-idp/conf/attribute-resolver.xml]): This will be
removed in the next major version of this software; replacement is (none)

Also, your old configuration will likely have been using
BASE64-encoded values and your new configuration would have to match
this for persistent NameIDs/eduPersonTargetedID in order to keep all
values the same.
But for new deployments BASE32-encoding is recommended.

So I'd suggest to define 2 different DataConnectors of type
ComputedId: Once with encoding="BASE64" (only to be used for your
legacy eduPersonTargetedID attribute support; you'd also set
idp.persistentId.encoding=BASE64 in conf/saml-nameid.properties if you
needed to support proper persistent NameIDs with those same old
values) and another one with encoding="BASE32" to be used as the basis
for your new PairwiseIDs.

HTH,
-peter
-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw <https://shibboleth.atlassian.net/wiki/x/ZYEpPw>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>

-----------
FreeMail powered by mail.fr <https://mail.fr>

--

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list