The default implementation of a Shibboleth handle is called SharedMemoryShibHandle. In general, a Shibboleth handle is an opaque reference to a SAML subject, which the IdentityProvider passes to the ServiceProvider in an authentication assertion. The ServiceProvider subsequently uses the handle to communicate with the IdentityProvider (to retrieve attributes, for instance).
When the IdentityProvider generates the handle, it is cached in memory along with the corresponding local principal name. Later, when the ServiceProvider requests attributes, the AttributeAuthority does a lookup on the handle in memory to recover the principal name. Once the lookup is complete, the handle is removed from cache.
To configure an IdentityProvider to use SharedMemoryShibHandle, a NameMapping
element similar to the following is inserted into the !IdP config file (idp.xml):
<!-- SharedMemoryShibHandle configuration (default) --> <NameMapping xmlns="urn:mace:shibboleth:namemapper:1.0" id="..." format="urn:mace:shibboleth:1.0:nameIdentifier" handleTTL="1800" type="SharedMemoryShibHandle"/>
The id
attribute is a unique identifier for this NameMapping
element in the config file. The handleTTL
attribute is the maximum allowable time-to-live (in seconds) for the handle.
For some deployments, a memory-bound handle mechanism may be unsatisfactory. In this case, an alternative implementation called CryptoShibHandle is provided.