If it isn't, you have a broken pairwise ID also. Anything useful as a seed for the hash should at least be a potentially viable candidate. There's no default that can be necessarily "right", this is just a sensible example that will often work without much, possibly any, editing.
Takeshi NishimuraSeptember 21, 2018 at 3:28 AM
Is it a valid assumption that %{idp.persistentId.sourceAttribute}, e.g. uid, is opaque?
Scott CantorSeptember 20, 2018 at 2:54 PM
I don't see any real workaround, so I renamed them samlSubjectID and samlPairwiseID. I prefer ID to Id, and the mixed case is less common across the older options.
peterSeptember 20, 2018 at 1:03 PM
FWIW, I've meanwhile locally documented the approach with 2 definitions, which works fine and keeps the new names for consistency. (In fact I contributed a somewhat similar example to the shib wiki in the past.)
As you said we can always do something simpler/cleaner for 4.0.
We've added the support to SP3.0, we now need the inverse in attribute-resolver-full (at least for the encoding bit).
I know that is looking at this right now so if he shares what he uses we can iterate to something useful to us all.
link to spec