- resolvable (only by an IdP that has supplied it)
- not re-assignable
- not mutable (refreshing the value is equivalent to creating a new identity)
- permitted to be displayed
- (Note: the value is somewhat display friendly, and may be appended to the displayName with a separating space, and used as a unique display name to be included in PKI Certificate DNs and as a resource ownership label, e.g. John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk)
Manual Generation of SharedTokenThe process of generating and storing SharedToken using above auEduPersonSharedToken generator is integrated with IdP, so IdP generates and stores SharedToken when user access IdP for first time.
If you want to generate auEduPersonSharedToken, and add it to LDAP/Active Directory manually, You can use below algorithm to generate it.
AlgorithmThe algorithm to compute the aEPST value can be described by the formula:
aEPST = base64Encode ( SHA1Hash ( privateUniqueID + IdPIdentifier + salt ) )
privateUniqueID - any existing , persistent, unique and not re-assignable user's attribute within the institution, such as uid or uid+mail.
IdPIdentifier - Any globally unique string representing your institution, such as the IdP entity ID or DNS name.
salt - a string of random data, known only to the implementations. It's recommended to be at least 16 characters. It can be generating with
openssl rand -base64 36 2>/dev/null
The string built from the three inputs then is hashed and encoded. The 28 characters long aEPST is generated. The value looks like: 8DXylpwpH7lfc_q1UOlq9s0b7NA