| Wiki Markup |
|---|
Zero or more {{NameMapping}} elements \(in idp.xml\) call out the name mappings recognized by a Shibboleth deployment. The {{NameMapping}} element supports the following attributes:
{html}<table>{html}
{html}<tr>{html}
{html}<td align="left" colspan="4">{html}{html}<strong>{html}_Subclasses of {html}<tt>{html}BaseNameIdentifierMapping{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<th align="left">{html}Attribute Name{html}</th>{html}
{html}<th align="left">{html}Type{html}</th>{html}
{html}<th align="center">{html}Required{html}</th>{html}
{html}<th align="left">{html}Default{html}</th>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}id{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}ID{html}</td>{html}
{html}<td align="center">{html}No{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}format{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}URI{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left" colspan="4">{html}{html}<strong>{html}_Class {html}<tt>{html}X509SubjectNameNameIdentifierMapping{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<th align="left">{html}Attribute Name{html}</th>{html}
{html}<th align="left">{html}Type{html}</th>{html}
{html}<th align="center">{html}Required{html}</th>{html}
{html}<th align="left">{html}Default{html}</th>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}regex{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}String{html}</td>{html}
{html}<td align="center">{html}No{html}</td>{html}
{html}<td align="left">{html}{html}<tt>{html}.*uid=\(\[^,/\]+\).*{html}</tt>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}qualifier{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}URI{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}internalNameContext{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}String{html}</td>{html}
{html}<td align="center">{html}Yes {html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left" colspan="4">{html}{html}<strong>{html}_Subclasses of {html}<tt>{html}AQHNameIdentifierMapping{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<th align="left">{html}Attribute Name{html}</th>{html}
{html}<th align="left">{html}Type{html}</th>{html}
{html}<th align="center">{html}Required{html}</th>{html}
{html}<th align="left">{html}Default{html}</th>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}handleTTL{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}long{html}</td>{html}
{html}<td align="center">{html}No{html}</td>{html}
{html}<td align="left">{html}{html}<tt>{html}1800{html}</tt>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left" colspan="4">{html}{html}<strong>{html}_All implementations of {html}<tt>{html}NameIdentifierMapping{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<th align="left">{html}Attribute Name{html}</th>{html}
{html}<th align="left">{html}Type{html}</th>{html}
{html}<th align="center">{html}Required{html}</th>{html}
{html}<th align="left">{html}Default{html}</th>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}type{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}String{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}class{html}</tt>{html}{html}</td>{html}
{html}<td align="left">{html}String{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}</table>{html}
Note: One and only one of the {{type}} or {{class}} attributes is required.
A brief description of each attribute follows:
* {{id}} : a unique ID for this {{NameMapping}} element
* {{format}} : a NameIdentifierFormat associated with this {{NameMapping}} element
* {{regex}} : a regular expression used to extract the principal name from the DN in the {{getPrincipal}} method of class {{X509SubjectNameNameIdentifierMapping}}
* {{qualifier}} : a URI, which is matched against the value of the {{NameQualifier}} attribute \(of the {{<saml:NameIdentifier>}} element\) in the {{getPrincipal}} method of class {{X509SubjectNameNameIdentifierMapping}}
* {{internalNameContext}} : a string template containing one or more {{%PRINCIPAL%}} placeholders used to construct a {{SAMLNameIdentifier}} object in method {{getNameIdentifierName}} of class {{X509SubjectNameNameIdentifierMapping}}
* {{handleTTL}} : the time-to-live \(TTL\) of the handle in seconds
* {{type}} : an alias pre-registered with the {{NameMapper}} class \(see NameIdentifierMapping for possible values\)
* {{class}} : the fully qualified class name of an implementation of NameIdentifierMapping
A {{NameMapping}} element of type {{CryptoHandleGenerator}} \(equivalent to class =CryptoShibHandle=\) contains a number of child elements:
{html}<table>{html}
{html}<tr>{html}
{html}<td align="left" colspan="4">{html}{html}<strong>{html}_Class {html}<tt>{html}CryptoShibHandle{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<th align="left">{html}Element Name{html}</th>{html}
{html}<th align="center">{html}Required{html}</th>{html}
{html}<th align="left">{html}Default{html}</th>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}KeyStorePath{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}KeyStorePassword{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}KeyStoreKeyAlias{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}KeyStoreKeyPassword{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}Yes{html}</td>{html}
{html}<td align="left">{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}KeyStoreType{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}No{html}</td>{html}
{html}<td align="left">{html}{html}<tt>{html}JCEKS{html}</tt>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}Cipher{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}No{html}</td>{html}
{html}<td align="left">{html}{html}<tt>{html}DESede/CBC/PKCS5Padding{html}</tt>{html}{html}</td>{html}
{html}</tr>{html}
{html}<tr>{html}
{html}<td align="left">{html}{html}<tt>{html}MAC{html}</tt>{html}{html}</td>{html}
{html}<td align="center">{html}No{html}</td>{html}
{html}<td align="left">{html}{html}<tt>{html}HmacSHA1{html}</tt>{html}{html}</td>{html}
{html}</tr>{html}
{html}</table>{html}
See the _Shibboleth Identity Provider Deployment Guide_ for more detail regarding {{CryptoShibHandle}} . See | Warning |
|---|
This page didn't survive the conversion process and is no longer very usable. |
Zero or more NameMapping elements (in idp.xml) call out the name mappings recognized by a Shibboleth deployment. The NameMapping element supports the following attributes:
Note: One and only one of the type or class attributes is required.
A brief description of each attribute follows:
id: a unique ID for this NameMapping elementformat: a NameIdentifierFormat associated with this NameMapping elementregex: a regular expression used to extract the principal name from the DN in the getPrincipal method of class X509SubjectNameNameIdentifierMappingqualifier: a URI, which is matched against the value of the NameQualifier attribute (of the <saml:NameIdentifier> element) in the getPrincipal method of class X509SubjectNameNameIdentifierMappinginternalNameContext: a string template containing one or more %PRINCIPAL% placeholders used to construct a SAMLNameIdentifier object in method getNameIdentifierName of class X509SubjectNameNameIdentifierMappinghandleTTL: the time-to-live (TTL) of the handle in secondstype: an alias pre-registered with the NameMapper class (see NameIdentifierMapping for possible values)class: the fully qualified class name of an implementation of NameIdentifierMapping
A NameMapping element of type CryptoHandleGenerator (equivalent to class CryptoShibHandle) contains a number of child elements:
See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle. See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html
...
for
...
general
...
information
...
about
...
cryptographic
...
implementations,
...
conventions
...
and
...
syntax.
...
Some
...
examples
...
of
...
NameMapping
...
elements
...
are
...
given
...
below:
...
| Code Block |
|---|
|
<!-- SharedMemoryShibHandle configuration (default) -->
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="..."
format="urn:mace:shibboleth:1.0:nameIdentifier"
handleTTL="1800"
type="SharedMemoryShibHandle"/>
<!-- CryptoShibHandle configuration -->
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="..."
format="urn:mace:shibboleth:1.0:nameIdentifier"
handleTTL="1800"
type="CryptoHandleGenerator">
<KeyStorePath>...</KeyStorePath>
<KeyStorePassword>...</KeyStorePassword>
<KeyStoreKeyAlias>...</KeyStoreKeyAlias>
<KeyStoreKeyPassword>...</KeyStoreKeyPassword>
<KeyStoreType>JCEKS</KeyStoreType> <!-- default -->
<Cipher>DESede/CBC/PKCS5Padding</Cipher> <!-- default -->
<MAC>HmacSHA1</MAC> <!-- default -->
</NameMapping
<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="..."
format="urn-x:test:NameIdFormat1"
type="Principal"/>
<!-- X509SubjectNameNameIdentifierMapping configuration (e-auth) -->
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="..."
format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
regex=".*uid=([^,/]+).*"
qualifier="https://idp.org/shibboleth"
internalNameContext="uid=%PRINCIPAL%/e-auth"
class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
{code}
|
Only
...
one
...
NameMapping
...
element
...
per
...
format
...
is
...
allowed.
...
If
...
you
...
wanted
...
to
...
associate
...
a
...
single
...
NameIdentifierFormat
...
with
...
multiple
...
mappings,
...
a
...
custom
...
MappingManager
...
must
...
be
...
written.
...
| Code Block |
|---|
|
<!-- hypothetical configuration (e.g.) -->
<NameMapping
xmlns="urn:mace:shibboleth:namemapper:1.0"
id="..."
format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
class="edu.uiuc.ncsa.shibboleth.plugins.MappingManager">
<NameMapping
id="..."
format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
regex=".*uid=([^,/]+).*"
qualifier="https://idp.org/shibboleth"
internalNameContext="uid=%PRINCIPAL%/e-auth"
class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
<NameMapping
id="..."
format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
class="edu.uiuc.ncsa.shibboleth.plugins.X509SubjectNameNameIdentifierMapping"/>
</NameMapping>
{code}
|
Presumably,
...
the
...
MappingManager
...
invokes
...
each
...
of
...
the
...
nested
...
mappings
...
(in
...
order
...
)
...
until
...
the
...
mapping
...
succeeds.
...
For
...
example,
...
suppose
...
an
...
attribute
...
query
...
is
...
sent
...
to
...
the
...
AA
...
with
...
the
...
following
...
NameIdentifier
...
element:
...
| Code Block |
|---|
|
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="https://idp.org/shibboleth">
<!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
{code}
|
The
...
AA
...
consults
...
origin.xml
...
and
...
finds
...
a
...
NameMapping
...
element
...
such
...
as
...
the
...
last
...
one
...
above.
...
Since
...
the
...
value
...
of
...
the
...
Format
...
attribute
...
of
...
the
...
NameIdentifier
...
element
...
matches
...
the
...
value
...
of
...
the
...
format
...
attribute
...
of
...
the
...
containing
...
NameMapping
...
element,
...
the
...
AA
...
invokes
...
the
...
MappingManager
...
as
...
given
...
by
...
the
...
class
...
attribute.
...
The
...
MappingManager
...
then
...
applies
...
each
...
of
...
the
...
nested
...
mappings
...
in
...
turn.
...
-
...
-
...
Main.TomScavo
...
-
...
13
...
Apr
...
2005