Open nynymike opened 5 years ago
malotian
commented
5 years ago @nynymike need to discuss on this, persistent nameid - its same for subject (regardless of RP) transient nameid - different for each SAML Transaction
issue mentioned is interesting - where we wanted something similar to persistent - but scoped to RP it can be supported, but we would need to create custom generator (that we are capable of)
nynymike
commented
5 years ago Did you see the docs on this page: https://wiki.shibboleth.net/confluence/display/IDP30/PersistentNameIDGenerationConfiguration
malotian
commented
5 years ago @nynymike yes I have implemented same/similar in nameid, will discuss so that we are on same page as far as understanding is concerned, we need to experiment a bit and update documentation, from implementation perspective i guess we are good (will evaluate further)
Persistent non-correletable identifiers in SAML, or pairwise identifiers in OpeniD, are the same for the subject at a certain RP, but different for each RP. In the past we used a Shib plugin that stored. These ids can be either algorithmically generated (APID) or stored on disk (PPID). The latter is better if you need to search the database to figure out which person was issued a certain identifier.
I think we should support PPIDs in Shibboleth, but store them the same way we store PPIDs in OpenID Connect.