Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
Zero or more {{NameMapping}} elements (in {{idp.xml}}) call out the name mappings recognized by a Shibboleth deployment. The {{NameMapping}} element supports the following attributes: {html}<table cellpadding="5" cellspacing="0" border="1"> <tr> <td align="left" colspan="4"><strong>Subclasses of <tt>BaseNameIdentifierMapping</tt>:</strong></td> </tr> <tr> <th align="left">Attribute Name</th> <th align="left">Type</th> <th align="center">Required</th> <th align="left">Default</th> </tr> <tr> <td align="left"><tt>id</tt></td> <td align="left">ID</td> <td align="center">No</td> <td align="left"></td> </tr> <tr> <td align="left"><tt>format</tt></td> <td align="left">URI</td> <td align="center">Yes</td> <td align="left"></td> </tr> <tr> <td align="left" colspan="4"><strong>Class <tt>X509SubjectNameNameIdentifierMapping</tt>:</strong></td> </tr> <tr> <th align="left">Attribute Name</th> <th align="left">Type</th> <th align="center">Required</th> <th align="left">Default</th> </tr> <tr> <td align="left"><tt>regex</tt></td> <td align="left">String</td> <td align="center">No</td> <td align="left"><tt>.*uid=\(\[^,/\]+\).*</tt></td> </tr> <tr> <td align="left"><tt>qualifier</tt></td> <td align="left">URI</td> <td align="center">Yes</td> <td align="left"></td> </tr> <tr> <td align="left"><tt>internalNameContext</tt></td> <td align="left">String</td> <td align="center">Yes </td> <td align="left"></td> </tr> <tr> <td align="left" colspan="4"><strong>Subclasses of <tt>AQHNameIdentifierMapping</tt>:</strong></td> </tr> <tr> <th align="left">Attribute Name</th> <th align="left">Type</th> <th align="center">Required</th> <th align="left">Default</th> </tr> <tr> <td align="left"><tt>handleTTL</tt></td> <td align="left">long</td> <td align="center">No</td> <td align="left"><tt>1800</tt></td> </tr> <tr> <td align="left" colspan="4"><strong>All implementations of <tt>NameIdentifierMapping</tt>:</strong></td> </tr> <tr> <th align="left">Attribute Name</th> <th align="left">Type</th> <th align="center">Required</th> <th align="left">Default</th> </tr> <tr> <td align="left"><tt>type</tt></td> <td align="left">String</td> <td align="center">Yes</td> <td align="left"></td> </tr> <tr> <td align="left"><tt>class</tt></td> <td align="left">String</td> <td align="center">Yes</td> <td align="left"></td> </tr> </table>{html} Note: One and only one of the {{type}} or {{class}} attributes is required. A brief description of each attribute follows: * {{id}}: a unique ID for this {{NameMapping}} element * {{format}}: a NameIdentifierFormat associated with this {{NameMapping}} element * {{regex}}: a regular expression used to extract the principal name from the DN in the {{getPrincipal}} method of class {{X509SubjectNameNameIdentifierMapping}} * {{qualifier}}: a URI, which is matched against the value of the {{NameQualifier}} attribute (of the {{<saml:NameIdentifier>}} element) in the {{getPrincipal}} method of class {{X509SubjectNameNameIdentifierMapping}} * {{internalNameContext}}: a string template containing one or more {{%PRINCIPAL%}} placeholders used to construct a {{SAMLNameIdentifier}} object in method {{getNameIdentifierName}} of class {{X509SubjectNameNameIdentifierMapping}} * {{handleTTL}}: the time-to-live (TTL) of the handle in seconds * {{type}}: an alias pre-registered with the {{NameMapper}} class (see NameIdentifierMapping for possible values) * {{class}}: the fully qualified class name of an implementation of NameIdentifierMapping A {{NameMapping}} element of type {{CryptoHandleGenerator}} (equivalent to class {{CryptoShibHandle}}) contains a number of child elements: {html}<table>{html} {html}<tr>{html} {html}<td align="left" colspan="4">{html}{html}<strong>{html}_Class {html}<tt>{html}CryptoShibHandle{html}</tt>{html}:_{html}</strong>{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<th align="left">{html}Element Name{html}</th>{html} {html}<th align="center">{html}Required{html}</th>{html} {html}<th align="left">{html}Default{html}</th>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}KeyStorePath{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}Yes{html}</td>{html} {html}<td align="left">{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}KeyStorePassword{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}Yes{html}</td>{html} {html}<td align="left">{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}KeyStoreKeyAlias{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}Yes{html}</td>{html} {html}<td align="left">{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}KeyStoreKeyPassword{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}Yes{html}</td>{html} {html}<td align="left">{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}KeyStoreType{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}No{html}</td>{html} {html}<td align="left">{html}{html}<tt>{html}JCEKS{html}</tt>{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}Cipher{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}No{html}</td>{html} {html}<td align="left">{html}{html}<tt>{html}DESede/CBC/PKCS5Padding{html}</tt>{html}{html}</td>{html} {html}</tr>{html} {html}<tr>{html} {html}<td align="left">{html}{html}<tt>{html}MAC{html}</tt>{html}{html}</td>{html} {html}<td align="center">{html}No{html}</td>{html} {html}<td align="left">{html}{html}<tt>{html}HmacSHA1{html}</tt>{html}{html}</td>{html} {html}</tr>{html} {html}</table>{html} See the _Shibboleth Identity Provider Deployment Guide_ for more detail regarding {{CryptoShibHandle}} . See
Wiki Markup
Warning

This page didn't survive the conversion process and is no longer very usable.

Zero or more NameMapping elements (in idp.xml) call out the name mappings recognized by a Shibboleth deployment. The NameMapping element supports the following attributes:

Note: One and only one of the type or class attributes is required.

A brief description of each attribute follows:

  • id: a unique ID for this NameMapping element
  • format: a NameIdentifierFormat associated with this NameMapping element
  • regex: a regular expression used to extract the principal name from the DN in the getPrincipal method of class X509SubjectNameNameIdentifierMapping
  • qualifier: a URI, which is matched against the value of the NameQualifier attribute (of the <saml:NameIdentifier> element) in the getPrincipal method of class X509SubjectNameNameIdentifierMapping
  • internalNameContext: a string template containing one or more %PRINCIPAL% placeholders used to construct a SAMLNameIdentifier object in method getNameIdentifierName of class X509SubjectNameNameIdentifierMapping
  • handleTTL: the time-to-live (TTL) of the handle in seconds
  • type: an alias pre-registered with the NameMapper class (see NameIdentifierMapping for possible values)
  • class: the fully qualified class name of an implementation of NameIdentifierMapping

A NameMapping element of type CryptoHandleGenerator (equivalent to class CryptoShibHandle) contains a number of child elements:

See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle. See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html

...

for

...

general

...

information

...

about

...

cryptographic

...

implementations,

...

conventions

...

and

...

syntax.

...

Some

...

examples

...

of

...

NameMapping

...

elements

...

are

...

given

...

below:

...

Code Block
langxml
<!-- SharedMemoryShibHandle configuration (default) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="SharedMemoryShibHandle"/>

<!-- CryptoShibHandle configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="CryptoHandleGenerator">
  <KeyStorePath>...</KeyStorePath>
  <KeyStorePassword>...</KeyStorePassword>
  <KeyStoreKeyAlias>...</KeyStoreKeyAlias>
  <KeyStoreKeyPassword>...</KeyStoreKeyPassword>
  <KeyStoreType>JCEKS</KeyStoreType>  <!-- default -->
  <Cipher>DESede/CBC/PKCS5Padding</Cipher>  <!-- default -->
  <MAC>HmacSHA1</MAC>  <!-- default -->
</NameMapping

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

<!-- X509SubjectNameNameIdentifierMapping configuration (e-auth) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  regex=".*uid=([^,/]+).*"
  qualifier="https://idp.org/shibboleth"
  internalNameContext="uid=%PRINCIPAL%/e-auth"
  class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
{code}

Only

...

one

...

NameMapping

...

element

...

per

...

format

...

is

...

allowed.

...

If

...

you

...

wanted

...

to

...

associate

...

a

...

single

...

NameIdentifierFormat

...

with

...

multiple

...

mappings,

...

a

...

custom

...

MappingManager

...

must

...

be

...

written.

...

Code Block
langxml
<!-- hypothetical configuration (e.g.) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.uiuc.ncsa.shibboleth.plugins.MappingManager">
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 regex=".*uid=([^,/]+).*"
	 qualifier="https://idp.org/shibboleth"
	 internalNameContext="uid=%PRINCIPAL%/e-auth"
	 class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 class="edu.uiuc.ncsa.shibboleth.plugins.X509SubjectNameNameIdentifierMapping"/>
</NameMapping>
{code}

Presumably,

...

the

...

MappingManager

...

invokes

...

each

...

of

...

the

...

nested

...

mappings

...

(in

...

order

...

)

...

until

...

the

...

mapping

...

succeeds.

...

For

...

example,

...

suppose

...

an

...

attribute

...

query

...

is

...

sent

...

to

...

the

...

AA

...

with

...

the

...

following

...

NameIdentifier

...

element:

...

Code Block
langxml
<saml:NameIdentifier
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  NameQualifier="https://idp.org/shibboleth">
  <!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>
{code}

The

...

AA

...

consults

...

origin.xml

...

and

...

finds

...

a

...

NameMapping

...

element

...

such

...

as

...

the

...

last

...

one

...

above.

...

Since

...

the

...

value

...

of

...

the

...

Format

...

attribute

...

of

...

the

...

NameIdentifier

...

element

...

matches

...

the

...

value

...

of

...

the

...

format

...

attribute

...

of

...

the

...

containing

...

NameMapping

...

element,

...

the

...

AA

...

invokes

...

the

...

MappingManager

...

as

...

given

...

by

...

the

...

class

...

attribute.

...

The

...

MappingManager

...

then

...

applies

...

each

...

of

...

the

...

nested

...

mappings

...

in

...

turn.

...

-

...

-

...

Main.TomScavo

...

-

...

13

...

Apr

...

2005