Some SP and vendors wants a particular nameID to authorize acces to their services, ei eduPersonTargetedID as a persistentID . My objective is to be able to send this particular nameID only to specific SPs while still take advantage of a default nameid-format:transient for the other majority of SPs , so that I have no need to manage a SGBD to store persistent ID ( ei eduPersonTargeted ) in a DB .

reference :

• https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration
• https://services.renater.fr/federation/docs/installation/idp3/chap11#creer_un_attribut_persistentidedupersontargetedid
• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID#NativeSPTargetedID-SAML2.0Attribute
• https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID

configure saml-nameid.properties to set the source attribute of a computed persistent ID

[root@idp3 conf]# cat saml-nameid.properties
# Properties involving SAML NameIdentifier/NameID generation/consumption
# Persistent IDs can be computed on the fly with a hash, or managed in a database

# For computed IDs, set a source attribute and a secret salt:
idp.persistentId.sourceAttribute = eduPersonPrincipalName
idp.persistentId.useUnfilteredAttributes = true
# Do *NOT* share the salt with other people, it's like divulging your private key.
idp.persistentId.algorithm = SHA
idp.persistentId.salt = secretpasslongenough
# To use a database, use shibboleth.StoredPersistentIdGenerator
idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator

if it fails, setting idp.service.failFast = true in services.properties force IDP to fail start and showed me a fail on IDP startup with :

Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Service 'shibboleth.NameIdentifierGenerationService': could not perform initial load
ry.BeanCreationException: Error creating bean with name 'shibboleth.ComputedPersistentIdGenerator' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: 
Salt must be at least 16 bytes in size

the idp.persistentId.salt must be long enough !

then we need to uncommented bold section below in saml-nameid.xml expecting to get a Persitent nameID format for the targeted SP “https://services.renater.fr/shibboleth”

but finally , there's no need to get into CustomNameIDGenerationConfiguration : https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration

nor list SPs in activationCondition

https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions (c:candidates="#{{'https://sp.example.com/shibboleth', 'https://another.example.com/shibboleth'}}" />

below bean parent=“shibboleth.SAML2AttributeSourcedGenerator” is commented

<!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />
        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
        <ref bean="shibboleth.SAML2PersistentGenerator" />
        <!--
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'mail'} }" >
                <property name="activationCondition">
                <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://services.renater.fr/shibboleth" />
                </property>
        </bean>
        -->

    </util:list>

if federation metadata ask explicitly for the correct nameIDs as is the case with entityID=“https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp”

cf metadata below

example

md:EntityDescriptor entityID="https://monitor.eduroam.org/sp/module.php/saml/sp/metadata.php/default-sp">
    <md:Extensions>
      <mdattr:EntityAttributes>
        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

because NameIDFormat in edugain metadata above, lists persitent before transient then , no matter the order beans are defined in saml-nameid.xml (here transient before persistent)

 <util:list id="shibboleth.SAML2NameIDGenerators">
        <ref bean="shibboleth.SAML2TransientGenerator" />
  <ref bean="shibboleth.SAML2PersistentGenerator" />
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"

that's the order in metadata that will decide which one to use .

Note also that the SP in question supports the eduPersonTargetedID attribute,

<md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>

oid 1.3.6.1.4.1.5923.1.1.1.10 stands for : eduPersonTargetedID ! (cf https://www.internet2.edu/products-services/trust-identity/mace-registries/internet2-object-identifier-oid-registrations/)