Implement Gluu Persistent Noncorreletable Identifier

Question

Implement Gluu Persistent Noncorreletable Identifier

Opened this issue 6 years ago · 3 comments

Persistent non-correletable identifiers in SAML, or pairwise identifiers in OpeniD, are the same for the subject at a certain RP, but different for each RP. In the past we used a Shib plugin that stored. These ids can be either algorithmically generated (APID) or stored on disk (PPID). The latter is better if you need to search the database to figure out which person was issued a certain identifier.

I think we should support PPIDs in Shibboleth, but store them the same way we store PPIDs in OpenID Connect.

Answer 1 · 2019-06-02T22:22:46.000Z

@nynymike need to discuss on this,
persistent nameid - its same for subject (regardless of RP)
transient nameid - different for each SAML Transaction

issue mentioned is interesting - where we wanted something similar to persistent - but scoped to RP
it can be supported, but we would need to create custom generator (that we are capable of)

Answer 2 · 2019-06-03T07:15:24.000Z

Did you see the docs on this page: https://wiki.shibboleth.net/confluence/display/IDP30/PersistentNameIDGenerationConfiguration

Answer 3 · 2019-07-07T04:13:13.000Z

@nynymike yes I have implemented same/similar in nameid, will discuss so that we are on same page as far as understanding is concerned, we need to experiment a bit and update documentation, from implementation perspective i guess we are good (will evaluate further)