AAF Validator ServiceTest Federation
AAF Core Attributes

Number of values
A unique identifier enabling federation spanning services such as Grid and Repositories. Values of the identifier are generated using a set formula. The value has the following qualities:
  • unique
  • opaque
  • non-targeted
  • persistent
  • resolvable (only by an IdP that has supplied it)
  • not re-assignable
  • not mutable (refreshing the value is equivalent to creating a new identity)
  • permitted to be displayed
    • (Note: the value is somewhat display friendly, and may be appended to the displayName with a separating space, and used as a unique display name to be included in PKI Certificate DNs and as a resource ownership label, e.g. John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk)
  • portable

27 character PEM "Base 64 Encoding with URL and Filename Safe Alphabet" encoded string from a 160-bit SHA1 hash of a globally unique string. Padding character, '=', is removed from the value. Reference: http://tools.ietf.org/html/rfc4648#page-7

Notes on usage
Service providers participating in federation spanning services may use auEduPersonSharedToken to uniquely identify users to other systems or to map to and from identities in PKI certificates used in grid authentication. Other attributes (e.g. displayName, identity provider Id, etc) may be used together with auEduPersonSharedToken as a transparent description of a particular person at a point in time. This can be implemented to enable interoperability of both SAML and PKI based systems with services such as data and compute grids. The user’s displayName and identity provider may change over time, but it is possible to implement mechanisms for the auEduPersonSharedToken to remain the same.

Manual Generation of SharedToken

The process of generating and storing SharedToken using above auEduPersonSharedToken generator is integrated with IdP, so IdP generates and stores SharedToken when user access IdP for first time.
If you want to generate auEduPersonSharedToken, and add it to LDAP/Active Directory manually, You can use below algorithm to generate it.
The algorithm to compute the aEPST value can be described by the formula: aEPST = base64Encode ( SHA1Hash ( privateUniqueID + IdPIdentifier + salt ) )

privateUniqueID - any existing , persistent, unique and not re-assignable user's attribute within the institution, such as uid or uid+mail.

IdPIdentifier - Any globally unique string representing your institution, such as the IdP entity ID or DNS name.

salt - a string of random data, known only to the implementations. It's recommended to be at least 16 characters. It can be generating with openssl rand -base64 36 2>/dev/null

The string built from the three inputs then is hashed and encoded. The 27 characters long aEPST is generated. The value looks like: 8DXylpwpH7lfc_q1UOlq9s0b7NA

Notes on privacy
auEduPersonSharedToken is not a privacy preserving identifier and should not be used where services are intended to be provided anonymously. Although auEduPersonSharedToken is an opaque value, as it may be released with the displayName it cannot be relied upon to preserve anonymity.