This page didn't survive the conversion process and is no longer very usable.
An alternative implementation of a Shibboleth handle is called CryptoShibHandle. Like SharedMemoryShibHandle, a CryptoShibHandle is an opaque reference to a SAML subject. Unlike SharedMemoryShibHandle, however, a CryptoShibHandle introduces no state at the IdentityProvider. Consequently, CryptoShibHandle is well suited for load balanced environments.
A CryptoShibHandle avoids state at the IdentityProvider by encrypting the local principal name and its associated time-to-live (TTL) into the handle itself. Configuration is more involved, however, since the key used to encrypt/decrypt the handle must be created, packaged, and secured.
To enable CryptoShibHandle, perform the following steps:
- Create a Java keystore. If you're using the default Java cryptography engine you can do this with the
keytoolcommand as follows:
> keytool -genkey -keyalg RSA -keystore cryptohandle.jks -storepass KeyStorePassword -keypasswd KeyStoreKeyPassword -alias KeyStoreKeyAlias
- Place the cryptohandle.jks file in the
etc/directory of your Shibboleth !IdP home directory.
- Insert a
NameMappingelement into the !IdP config file (see below).
- In the !IdP config file, set one or more
/IdPConfig/RelyingParty/NameID/@nameMappingattributes equal to the value of
- Restart the !IdP (probably means restarting Tomcat+Apache)
To configure an !IdP to use CryptoShibHandle, a
NameMapping element similar to the following is inserted into the !IdP config file (idp.xml):
where the attributes of the
NameMapping element are the same as SharedMemoryShibHandle (except for the value of the
type attribute). The nested elements are summarized in the following table:
Class CryptoShibHandle :
Note: If you are using a standard Java keystore, the
KeyStoreType element may be omitted. Otherwise, set the
KeyStoreType element to the appropriate type identifier. Also, unless you know what you're doing, use the default values of
MAC by omitting the child elements from the
See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle configuration. See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html for general information about cryptographic implementations, conventions and syntax.