The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

PrincipalNameIdentifier

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment
1 min read

The PrincipalNameIdentifier mapping is the simplest and most straightforward NameIdentifierMapping of all. The idea is to embed the local principal name directly in the NameIdentifier element:

<saml:Subject
  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:NameIdentifier 
	 Format="urn-x:test:NameIdFormat1"
	 NameQualifier="https://idp.example.org/shibboleth">
	 netid
  </saml:NameIdentifier>
</saml:Subject>

Obviously, the PrincipalNameIdentifier mapping provides no privacy whatsoever.

To configure an IdentityProvider to use PrincipalNameIdentifier, insert the following NameMapping element into the !IdP config file (idp.xml):

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

The id attribute is a unique identifier for this NameMapping element in the config file. The format attribute value is wholly contrived, so PrincipalNameIdentifier is of little use except for testing purposes.

Note: The GridShib.EmailAddressNameIdentifierMapping is functionally equivalent to the PrincipalNameIdentifier mapping plus it is an implementation of a standard SAML NameIdentifierFormat.