Add a post-filtering hashing feature to shorten long attributes, namely ePTIDs

Description

Longish attribute values like the ones for eduPersonTargetedID can lead to problems within applications, which do not expect that long values and are not able to store them in their internal storage. A good example is JIRA itself.

If the SP could generate a hash for such long attributes, the problem would disappear, without having to wait for a fix of the application itself.

In order to still be able to track back user activity, it will be necessary that the SP logs (or stores?) enough details about hashes it generated.

Environment

None

Activity

Scott Cantor May 14, 2012 at 6:02 PM

Not an easy problem to address with current APIs. Not sure how useful this is, but for now, I adjusted the existing hash support so that NameID attribute objects can be filtered properly while still producing the hashed serialization (by remoting the hash operation to shibd).

Just not sure how useful it is to produce ugly, 40-byte hex identifiers or if they'll even fit such apps.

Scott Cantor May 11, 2012 at 8:15 PM

Maintaining the filtering requirement is a bit trickier; couple possibilities:

Add a workflow option that runs resolvers either before or after filtering. That's a bit invasive because of the many places executing this workflow now.

Would be ideal to implement it somehow via the attribute serialization step, but that happens in-process too and wouldn't have access to the hash functions. Probably would require a new decoder and attribute class that tracks both pre- and post-hashed values, exposes the pre-hashed to the filter step, but the post-hashed as the serialized form.

Scott Cantor May 11, 2012 at 8:09 PM

This is patently obvious to me now, but the obvious thing to do here is add a resolver plugin that does the hashing and generates a new attribute. That keeps the original around as needed.

Fixed

Details

Assignee

Reporter

Original estimate

Fix versions

Created June 6, 2011 at 2:20 PM
Updated August 7, 2012 at 1:07 AM
Resolved May 14, 2012 at 6:02 PM