Versions Compared

Old Version 1

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fixed html table, wiki-format conversion errors (part 1)
Wiki Markup
Zero or more  {{NameMapping}}  elements \(in {{idp.xml\}}) call out the name mappings recognized by a Shibboleth deployment.  The  {{NameMapping}}  element supports the following attributes:

{html}<table>{html}<table cellpadding="5" cellspacing="0" border="1">
  {html}<tr>{html}
	 {html}<tr>
     <td align="left" colspan="4">{html}{html}<strong>{html}_Subclasses of {html}<tt>{html}BaseNameIdentifierMapping{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}><strong>Subclasses of <tt>BaseNameIdentifierMapping</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">{html}Attribute Name{html}</th>{html}
	 {html}>Attribute Name</th>
     <th align="left">{html}Type{html}</th>{html}
	 {html}>Type</th>
     <th align="center">{html}Required{html}</th>{html}
	 {html}>Required</th>
     <th align="left">{html}Default{html}<>Default</th>{html}
  {html}</tr>{html}
  <tr>
   {html}<tr>{html} 	 {html}<td align="left">{html}{html}<tt>{html}id{html}</tt>{html}{html}</td>{html}
	 {html}><tt>id</tt></td>
     <td align="left">{html}ID{html}<>ID</td>{html}
	 {html}
     <td align="center">{html}No{html}</td>{html}
	 {html}>No</td>
     <td align="left">{html}{html}<></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left">{html}{html}<tt>{html}format{html}</tt>{html}{html}</td>{html}
	 {html}><tt>format</tt></td>
     <td align="left">{html}URI{html}</td>{html}
	 {html}>URI</td>
     <td align="center">{html}Yes{html}<>Yes</td>{html}
	 {html}
     <td align="left">{html}{html}<></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left" colspan="4">{html}{html}<strong>{html}_Class {html}<tt>{html}X509SubjectNameNameIdentifierMapping{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}><strong>Class <tt>X509SubjectNameNameIdentifierMapping</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">{html}Attribute Name{html}</th>{html}
	 {html}>Attribute Name</th>
     <th align="left">{html}Type{html}</th>{html}
	 {html}>Type</th>
     <th align="center">{html}Required{html}</th>{html}
	 {html}>Required</th>
     <th align="left">{html}Default{html}<>Default</th>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}     <td align="left">{html}{html}<tt>{html}regex{html}</tt>{html}{html}</td>{html}
	 {html}><tt>regex</tt></td>
     <td align="left">{html}String{html}</td>{html}
	 {html}>String</td>
     <td align="center">{html}No{html}</td>{html}
	 {html}>No</td>
     <td align="left">{html}{html}<tt>{html}><tt>.*uid=\(\[^,/\]+\).*{html}</tt>{html}{html}<tt></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left">{html}{html}<tt>{html}qualifier{html}</tt>{html}{html}</td>{html}
	 {html}><tt>qualifier</tt></td>
     <td align="left">{html}URI{html}</td>{html}
	 {html}>URI</td>
     <td align="center">{html}Yes{html}</td>{html}
	 {html}>Yes</td>
     <td align="left">{html}{html}<></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left">{html}{html}<tt>{html}internalNameContext{html}</tt>{html}{html}</td>{html}
	 {html}><tt>internalNameContext</tt></td>
     <td align="left">{html}String{html}</td>{html}
	 {html}>String</td>
     <td align="center">{html}Yes {html}>Yes </td>{html}
	 {html}
     <td align="left">{html}{html}<></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left" colspan="4">{html}{html}<strong>{html}_Subclasses><strong>Subclasses of {html}<tt>{html}AQHNameIdentifierMapping{html}<<tt>AQHNameIdentifierMapping</tt>{html}:_{html}</strong>{html}{html}<strong></td>{html}
   {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <th align="left">{html}Attribute Name{html}</th>{html}
	 {html}>Attribute Name</th>
     <th align="left">{html}Type{html}<>Type</th>{html}
 	 {html}<th align   <th align="center">{html}Required{html}</th>{html}
	 {html}>Required</th>
     <th align="left">{html}Default{html}<>Default</th>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left">{html}{html}<tt>{html}handleTTL{html}</tt>{html}{html}</td>{html}
	 {html}><tt>handleTTL</tt></td>
     <td align="left">{html}long{html}</td>{html}
	 {html}>long</td>
     <td align="center">{html}No{html}</td>{html}
	 {html}>No</td>
     <td align="left">{html}{html}<tt>{html}1800{html}</tt>{html}{html}</td>{html}><tt>1800</tt></td>
  {html}</tr>{html}tr>
  {html}<tr>{html}
	 {html}<tr>
     <td align="left" colspan="4">{html}{html}<strong>{html}_All><strong>All implementations of {html}<tt>{html}NameIdentifierMapping{html}<<tt>NameIdentifierMapping</tt>{html}:_{html}</strong>{html}{html}<strong></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <th align="left">{html}Attribute Name{html}</th>{html}
	 {html}>Attribute Name</th>
     <th align="left">{html}Type{html}</th>{html}
	 {html}<th align="center">{html}Required{html}</th>{html}
	 {html}>Type</th>
     <th align="center">Required</th>
     <th align="left">{html}Default{html}<>Default</th>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}type{html}</tt>{html}{html}</td>{html}
	 {html}<tr>
     <td align="left"><tt>type</tt></td>
     <td align="left">{html}String{html}</td>{html}
	 {html}>String</td>
     <td align="center">{html}Yes{html}</td>{html}
	 {html}>Yes</td>
     <td align="left">{html}{html}<></td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<tr>
     <td align="left">{html}{html}<tt>{html}class{html}</tt>{html}{html}</td>{html}
	 {html}><tt>class</tt></td>
     <td align="left">{html}String{html}</td>{html}
	 {html}>String</td>
     <td align="center">{html}Yes{html}</td>{html}
	 {html}>Yes</td>
     <td align="left">{html}{html}<></td>{html}
  {html}</tr>{html}
{html}tr>
</table>{html}

Note: One and only one of the  {{type}}  or  {{class}}  attributes is required.

A brief description of each attribute follows:

*  {{id}} : a unique ID for this  {{NameMapping}}  element
*  {{format}} : a NameIdentifierFormat associated with this  {{NameMapping}}  element
*  {{regex}} : a regular expression used to extract the principal name from the DN in the  {{getPrincipal}}  method of class  {{X509SubjectNameNameIdentifierMapping}} 
*  {{qualifier}} : a URI, which is matched against the value of the  {{NameQualifier}}  attribute \(of the  {{&lt;saml:NameIdentifier&gt;<saml:NameIdentifier>}}  element\) in the  {{getPrincipal}}  method of class  {{X509SubjectNameNameIdentifierMapping}} 
*  {{internalNameContext}} : a string template containing one or more  {{%PRINCIPAL%}}  placeholders used to construct a  {{SAMLNameIdentifier}}  object in method  {{getNameIdentifierName}}  of class  {{X509SubjectNameNameIdentifierMapping}} 
*  {{handleTTL}} : the time-to-live \(TTL\) of the handle in seconds
*  {{type}} : an alias pre-registered with the  {{NameMapper}}  class \(see NameIdentifierMapping for possible values\)
*  {{class}} : the fully qualified class name of an implementation of NameIdentifierMapping

A  {{NameMapping}}  element of type  {{CryptoHandleGenerator}}  \(equivalent to class =CryptoShibHandle=\{{CryptoShibHandle}}) contains a number of child elements:

{html}<table>{html}
  {html}<tr>{html}
	 {html}<td align="left" colspan="4">{html}{html}<strong>{html}_Class {html}<tt>{html}CryptoShibHandle{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<th align="left">{html}Element Name{html}</th>{html}
	 {html}<th align="center">{html}Required{html}</th>{html}
	 {html}<th align="left">{html}Default{html}</th>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}KeyStorePath{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}Yes{html}</td>{html}
	 {html}<td align="left">{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}KeyStorePassword{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}Yes{html}</td>{html}
	 {html}<td align="left">{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}KeyStoreKeyAlias{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}Yes{html}</td>{html}
	 {html}<td align="left">{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}KeyStoreKeyPassword{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}Yes{html}</td>{html}
	 {html}<td align="left">{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}KeyStoreType{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}No{html}</td>{html}
	 {html}<td align="left">{html}{html}<tt>{html}JCEKS{html}</tt>{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}Cipher{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}No{html}</td>{html}
	 {html}<td align="left">{html}{html}<tt>{html}DESede/CBC/PKCS5Padding{html}</tt>{html}{html}</td>{html}
  {html}</tr>{html}
  {html}<tr>{html}
	 {html}<td align="left">{html}{html}<tt>{html}MAC{html}</tt>{html}{html}</td>{html}
	 {html}<td align="center">{html}No{html}</td>{html}
	 {html}<td align="left">{html}{html}<tt>{html}HmacSHA1{html}</tt>{html}{html}</td>{html}
  {html}</tr>{html}
{html}</table>{html}
 
See the _Shibboleth Identity Provider Deployment Guide_ for more detail regarding  {{CryptoShibHandle}} .  See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html for general information about cryptographic implementations, conventions and syntax.

Some examples of  {{NameMapping}}  elements are given below:

{code}
<!-- SharedMemoryShibHandle configuration (default) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="SharedMemoryShibHandle"/>

<!-- CryptoShibHandle configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="CryptoHandleGenerator">
  <KeyStorePath>...</KeyStorePath>
  <KeyStorePassword>...</KeyStorePassword>
  <KeyStoreKeyAlias>...</KeyStoreKeyAlias>
  <KeyStoreKeyPassword>...</KeyStoreKeyPassword>
  <KeyStoreType>JCEKS</KeyStoreType>  <!-- default -->
  <Cipher>DESede/CBC/PKCS5Padding</Cipher>  <!-- default -->
  <MAC>HmacSHA1</MAC>  <!-- default -->
</NameMapping

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

<!-- X509SubjectNameNameIdentifierMapping configuration (e-auth) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  regex=".*uid=([^,/]+).*"
  qualifier="https://idp.org/shibboleth"
  internalNameContext="uid=%PRINCIPAL%/e-auth"
  class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
{code}

Only one  {{NameMapping}}  element per format is allowed.  If you wanted to associate a single NameIdentifierFormat with multiple mappings, a custom  {{MappingManager}}  must be written.

{code}
<!-- hypothetical configuration (e.g.) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.uiuc.ncsa.shibboleth.plugins.MappingManager">
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 regex=".*uid=([^,/]+).*"
	 qualifier="https://idp.org/shibboleth"
	 internalNameContext="uid=%PRINCIPAL%/e-auth"
	 class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 class="edu.uiuc.ncsa.shibboleth.plugins.X509SubjectNameNameIdentifierMapping"/>
</NameMapping>
{code}

Presumably, the  {{MappingManager}}  invokes each of the nested mappings \(in order\) until the mapping succeeds.

For example, suppose an attribute query is sent to the AA with the following  {{NameIdentifier}}  element:

{code}
<saml:NameIdentifier
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  NameQualifier="https://idp.org/shibboleth">
  <!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
{code}

The AA consults origin.xml and finds a  {{NameMapping}}  element such as the last one above.  Since the value of the  {{Format}}  attribute of the  {{NameIdentifier}}  element matches the value of the  {{format}}  attribute of the containing  {{NameMapping}}  element, the AA invokes the  {{MappingManager}}  as given by the  {{class}}  attribute.  The  {{MappingManager}}  then applies each of the nested mappings in turn.


-\- Main.TomScavo \- 13 Apr 2005