SAML2NameID deprecated (and therefore eduPersonTargetedId?)
Matthew Slowe
matthew.slowe at jisc.ac.uk
Tue Nov 15 16:09:30 UTC 2022
Hello list,
I've been sat on this question for a long time and never got around to
asking it but with IdP v5 around the corner, I thought I'd better get in
quick before I miss the opportunity.
Since the early days of IdP v4 (not sure exactly when) this deprecation
warning has been littering the logs:
2022-11-14 14:10:13,044 - 127.0.0.1 - WARN [DEPRECATED:125] - xsi:type
'SAML2NameID', (file [/opt/idp4/conf/attribute-resolver.xml]): This will
be removed in the next major version of this software; replacement is (none)
This is related to the presence of an AttributeDefinition that is really
common in the UK Federation (and possibly others!) for defining
eduPersonTargetedId - usually something like:
<AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
<InputDataConnector attributeNames="computedId" ref="computed"/>
<AttributeEncoder xsi:type="SAML1XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"/>
<AttributeEncoder xsi:type="SAML2XMLObject"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
friendlyName="eduPersonTargetedID"/>
</AttributeDefinition>
I'm aware there is a replacement for this in the form of pairwise-id but
in the mean time and given the number of SPs expecting eptid, when IdP
v5 comes out, will this functionality _actually_ be removed and
therefore will Shib IdP 5 deployments stop being able to emit a SAML 2
eduPersonTargetedId?
Thanks,
--
Matthew Slowe [he/him] (GPG: 0x6BE0CF7D04600314)
Senior Technical Consultant and Support specialist, Jisc
Team: 01235 822185
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
More information about the users
mailing list