Instructions to release a persistent ePTID

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Instructions to release a persistent ePTID

Koren, Meshna (ELS-AMS)

Aloha,

 

Our SP uses a persistent NameID (in subject assertion) or a persistent ePTID (in attribute assertion) for personalization. Although an SP3, this is still valid for us:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID#NativeSPTargetedID-XMLSyntaxandFormalNames

A persistent NameID in subject assertion is relatively simple but we're occasionally having problems with IdPs that release ePTID but not in a persistent format... and would release it like this, for example:

 

<saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID">
<saml:AttributeValue>7665xxxxxxxxxxx40dac495f7c0b2287f6f5776747</saml:AttributeValue>

 

and we don't know how to help them.

 

Is there a wiki page that helps an IdP to configure Shibboleth to release a persistent eduPersonTargetedID that we can point them to? We can find bits of information (on IdP2 wiki) but don't really know what's a proper starting point.

 

Also... we know ePTID is being deprecated so not expecting any new wikis to be put up to address this...  we're just not ready to dump its support quite yet.

 

Thanks,

Meshna

 

 

 

Meshna Koren


Associate Product Manager

Product Management - Identity and Access - Research Products

 

Elsevier BV

Radarweg 29, Amsterdam 1043 NX, The Netherlands

[hidden email]

 

Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login

 

 

 

 



Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Instructions to release a persistent ePTID

Peter Schober
* Koren, Meshna (ELS-AMS) <[hidden email]> [2019-11-26 11:58]:
> we're occasionally having problems with IdPs that release ePTID but
> not in a persistent format... and would release it like this, for
> example:
>
> <saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID">
> <saml:AttributeValue>7665xxxxxxxxxxx40dac495f7c0b2287f6f5776747</saml:AttributeValue>

That's invalid for all formats that ever were in use, even for use
with SAML 1.x as a protocol (the attribute name above is specific to
SAML 1.x) as the value would need to have a scope then, IIRC.
See the MACE-Dir SAML Attribute Profiles for details.
http://macedir.org/docs/internet2-mace-dir-saml-attributes-200804a.pdf

> Is there a wiki page that helps an IdP to configure Shibboleth to
> release a persistent eduPersonTargetedID that we can point them to?

If the IDP is Shibboleth and you as the SP are supporting both
versions (persistent NameIDs in the Subject element, persistent
NameIDs as attribute values of the ePTID attribute) there's no reason
the IDP should start configuring support for persistent NameIDs as
attribute values of the ePTID attributes now.
Instead they should configure support for proper persistent NameIDs in
the Subject element, which is even easier.

That can be as simple as setting a suitable (internal) attribute as
idp.persistentId.sourceAttribute (in conf/saml-nameid.properties) and
uncommenting the line
  <ref bean="shibboleth.SAML2PersistentGenerator" />
within the list
  <util:list id="shibboleth.SAML2NameIDGenerators"
in conf/saml-nameid.xml

I do have example configs for both but why make it easier to do the
wrong thing?

Best,
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Instructions to release a persistent ePTID

Koren, Meshna (ELS-AMS)
Thanks Peter!

"...configure support for proper persistent NameIDs in the Subject element, which is even easier."
I did not know it's easier. Knowing that makes it much much easier for us to ask the IdPs to do it.
Our devs suggested something similar... but coming from us it sounded a bit selfish :)

"I do have example configs for both but why make it easier to do the wrong thing?"
+1


Kind regards,
Meshna


-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Tuesday, November 26, 2019 20:30
To: [hidden email]
Subject: Re: Instructions to release a persistent ePTID

*** External email: use caution ***



* Koren, Meshna (ELS-AMS) <[hidden email]> [2019-11-26 11:58]:
> we're occasionally having problems with IdPs that release ePTID but
> not in a persistent format... and would release it like this, for
> example:
>
> <saml:Attribute Name="urn:mace:dir:attribute-def:eduPersonTargetedID">
> <saml:AttributeValue>7665xxxxxxxxxxx40dac495f7c0b2287f6f5776747</saml:
> AttributeValue>

That's invalid for all formats that ever were in use, even for use with SAML 1.x as a protocol (the attribute name above is specific to SAML 1.x) as the value would need to have a scope then, IIRC.
See the MACE-Dir SAML Attribute Profiles for details.
http://macedir.org/docs/internet2-mace-dir-saml-attributes-200804a.pdf

> Is there a wiki page that helps an IdP to configure Shibboleth to
> release a persistent eduPersonTargetedID that we can point them to?

If the IDP is Shibboleth and you as the SP are supporting both versions (persistent NameIDs in the Subject element, persistent NameIDs as attribute values of the ePTID attribute) there's no reason the IDP should start configuring support for persistent NameIDs as attribute values of the ePTID attributes now.
Instead they should configure support for proper persistent NameIDs in the Subject element, which is even easier.

That can be as simple as setting a suitable (internal) attribute as idp.persistentId.sourceAttribute (in conf/saml-nameid.properties) and uncommenting the line
  <ref bean="shibboleth.SAML2PersistentGenerator" /> within the list
  <util:list id="shibboleth.SAML2NameIDGenerators"
in conf/saml-nameid.xml

I do have example configs for both but why make it easier to do the wrong thing?

Best,
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

________________________________

Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]