The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Zero or more NameMapping elements (in idp.xml) call out the name mappings recognized by a Shibboleth deployment. The NameMapping element supports the following attributes:

Unknown macro: {html}

<table cellpadding="5" cellspacing="0" border="1">
<tr>
<td align="left" colspan="4"><strong>Subclasses of <tt>BaseNameIdentifierMapping</tt>:</strong></td>
</tr>
<tr>
<th align="left">Attribute Name</th>
<th align="left">Type</th>
<th align="center">Required</th>
<th align="left">Default</th>
</tr>
<tr>
<td align="left"><tt>id</tt></td>
<td align="left">ID</td>
<td align="center">No</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>format</tt></td>
<td align="left">URI</td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left" colspan="4"><strong>Class <tt>X509SubjectNameNameIdentifierMapping</tt>:</strong></td>
</tr>
<tr>
<th align="left">Attribute Name</th>
<th align="left">Type</th>
<th align="center">Required</th>
<th align="left">Default</th>
</tr>
<tr>
<td align="left"><tt>regex</tt></td>
<td align="left">String</td>
<td align="center">No</td>
<td align="left"><tt>.uid=([^,/]+).</tt></td>
</tr>
<tr>
<td align="left"><tt>qualifier</tt></td>
<td align="left">URI</td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>internalNameContext</tt></td>
<td align="left">String</td>
<td align="center">Yes </td>
<td align="left"></td>
</tr>
<tr>
<td align="left" colspan="4"><strong>Subclasses of <tt>AQHNameIdentifierMapping</tt>:</strong></td>
</tr>
<tr>
<th align="left">Attribute Name</th>
<th align="left">Type</th>
<th align="center">Required</th>
<th align="left">Default</th>
</tr>
<tr>
<td align="left"><tt>handleTTL</tt></td>
<td align="left">long</td>
<td align="center">No</td>
<td align="left"><tt>1800</tt></td>
</tr>
<tr>
<td align="left" colspan="4"><strong>All implementations of <tt>NameIdentifierMapping</tt>:</strong></td>
</tr>
<tr>
<th align="left">Attribute Name</th>
<th align="left">Type</th>
<th align="center">Required</th>
<th align="left">Default</th>
</tr>
<tr>
<td align="left"><tt>type</tt></td>
<td align="left">String</td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>class</tt></td>
<td align="left">String</td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
</table>

Note: One and only one of the type or class attributes is required.

A brief description of each attribute follows:

  • id: a unique ID for this NameMapping element
  • format: a NameIdentifierFormat associated with this NameMapping element
  • regex: a regular expression used to extract the principal name from the DN in the getPrincipal method of class X509SubjectNameNameIdentifierMapping
  • qualifier: a URI, which is matched against the value of the NameQualifier attribute (of the <saml:NameIdentifier> element) in the getPrincipal method of class X509SubjectNameNameIdentifierMapping
  • internalNameContext: a string template containing one or more %PRINCIPAL% placeholders used to construct a SAMLNameIdentifier object in method getNameIdentifierName of class X509SubjectNameNameIdentifierMapping
  • handleTTL: the time-to-live (TTL) of the handle in seconds
  • type: an alias pre-registered with the NameMapper class (see NameIdentifierMapping for possible values)
  • class: the fully qualified class name of an implementation of NameIdentifierMapping

A NameMapping element of type CryptoHandleGenerator (equivalent to class CryptoShibHandle) contains a number of child elements:

Unknown macro: {html}

<table cellpadding="5" cellspacing="0" border="1">
<tr>
<td align="left" colspan="4"><strong>Class <tt>CryptoShibHandle</tt>:</strong></td>
</tr>
<tr>
<th align="left">Element Name</th>
<th align="center">Required</th>
<th align="left">Default</th>
</tr>
<tr>
<td align="left"><tt>KeyStorePath</tt></td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>KeyStorePassword</tt></td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>KeyStoreKeyAlias</tt></td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>KeyStoreKeyPassword</tt></td>
<td align="center">Yes</td>
<td align="left"></td>
</tr>
<tr>
<td align="left"><tt>KeyStoreType</tt></td>
<td align="center">No</td>
<td align="left"><tt>JCEKS</tt></td>
</tr>
<tr>
<td align="left"><tt>Cipher</tt></td>
<td align="center">No</td>
<td align="left"><tt>DESede/CBC/PKCS5Padding</tt></td>
</tr>
<tr>
<td align="left"><tt>MAC</tt></td>
<td align="center">No</td>
<td align="left"><tt>HmacSHA1</tt></td>
</tr>
</table>

See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle. See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html for general information about cryptographic implementations, conventions and syntax.

Some examples of NameMapping elements are given below:

<!-- SharedMemoryShibHandle configuration (default) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="SharedMemoryShibHandle"/>

<!-- CryptoShibHandle configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="CryptoHandleGenerator">
  <KeyStorePath>...</KeyStorePath>
  <KeyStorePassword>...</KeyStorePassword>
  <KeyStoreKeyAlias>...</KeyStoreKeyAlias>
  <KeyStoreKeyPassword>...</KeyStoreKeyPassword>
  <KeyStoreType>JCEKS</KeyStoreType>  <!-- default -->
  <Cipher>DESede/CBC/PKCS5Padding</Cipher>  <!-- default -->
  <MAC>HmacSHA1</MAC>  <!-- default -->
</NameMapping

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

<!-- X509SubjectNameNameIdentifierMapping configuration (e-auth) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  regex=".*uid=([^,/]+).*"
  qualifier="https://idp.org/shibboleth"
  internalNameContext="uid=%PRINCIPAL%/e-auth"
  class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>

Only one NameMapping element per format is allowed. If you wanted to associate a single NameIdentifierFormat with multiple mappings, a custom MappingManager must be written.

<!-- hypothetical configuration (e.g.) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.uiuc.ncsa.shibboleth.plugins.MappingManager">
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 regex=".*uid=([^,/]+).*"
	 qualifier="https://idp.org/shibboleth"
	 internalNameContext="uid=%PRINCIPAL%/e-auth"
	 class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 class="edu.uiuc.ncsa.shibboleth.plugins.X509SubjectNameNameIdentifierMapping"/>
</NameMapping>

Presumably, the MappingManager invokes each of the nested mappings (in order) until the mapping succeeds.

For example, suppose an attribute query is sent to the AA with the following NameIdentifier element:

<saml:NameIdentifier
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  NameQualifier="https://idp.org/shibboleth">
  <!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>

The AA consults origin.xml and finds a NameMapping element such as the last one above. Since the value of the Format attribute of the NameIdentifier element matches the value of the format attribute of the containing NameMapping element, the AA invokes the MappingManager as given by the class attribute. The MappingManager then applies each of the nested mappings in turn.

-- Main.TomScavo - 13 Apr 2005

  • No labels