- AAF Core Attributes
- Number of values
- A unique identifier enabling federation spanning services such
as Grid and Repositories. Values of the identifier are generated using a set
formula. The value has the following qualities:
- resolvable (only by an IdP that has supplied it)
- not re-assignable
- not mutable (refreshing the value is equivalent to creating a new
- permitted to be displayed
- (Note: the value is somewhat display friendly, and may be appended
to the displayName with a separating space, and used as a unique display name
to be included in PKI Certificate DNs and as a resource ownership label,
e.g. John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk)
- 27 character PEM "Base 64 Encoding with URL and Filename
Safe Alphabet" encoded string from a 160-bit SHA1 hash of a globally unique
string. Padding character, '=', is removed from the value. Reference:
- Notes on usage
- Service providers participating in federation spanning
services may use auEduPersonSharedToken to uniquely identify users to other
systems or to map to and from identities in PKI certificates used in grid
authentication. Other attributes (e.g. displayName, identity provider Id, etc)
may be used together with auEduPersonSharedToken as a transparent description
of a particular person at a point in time. This can be implemented to enable
interoperability of both SAML and PKI based systems with services such as data
and compute grids. The user’s displayName and identity provider may change over
time, but it is possible to implement mechanisms for the auEduPersonSharedToken
to remain the same.
Manual Generation of SharedToken
The process of generating and storing SharedToken using above auEduPersonSharedToken generator is integrated with IdP, so IdP generates and stores SharedToken when user access IdP for first time.
If you want to generate auEduPersonSharedToken, and add it to LDAP/Active Directory manually, You can use below algorithm to generate it.
The algorithm to compute the aEPST value can be described by the formula:
aEPST = base64Encode ( SHA1Hash ( privateUniqueID + IdPIdentifier + salt ) )
privateUniqueID - any existing , persistent, unique and not re-assignable user's attribute within the institution, such as uid or uid+mail.
IdPIdentifier - Any globally unique string representing your institution, such as the IdP entity ID or DNS name.
salt - a string of random data, known only to the implementations. It's recommended to be at least 16 characters. It can be generating with
openssl rand -base64 36 2>/dev/null
The string built from the three inputs then is hashed and encoded. The 28 characters long aEPST is generated. The value looks like: 8DXylpwpH7lfc_q1UOlq9s0b7NA
- Notes on privacy
- auEduPersonSharedToken is not a privacy preserving
identifier and should not be used where services are intended to be provided
anonymously. Although auEduPersonSharedToken is an opaque value, as it may be
released with the displayName it cannot be relied upon to preserve anonymity.