Child pages
  • PrincipalNameIdentifier

The Shibboleth 1.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

The PrincipalNameIdentifier mapping is the simplest and most straightforward NameIdentifierMapping of all. The idea is to embed the local principal name directly in the NameIdentifier element:

<saml:Subject
  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:NameIdentifier 
	 Format="urn-x:test:NameIdFormat1"
	 NameQualifier="https://idp.example.org/shibboleth">
	 netid
  </saml:NameIdentifier>
</saml:Subject>

Obviously, the PrincipalNameIdentifier mapping provides no privacy whatsoever.

To configure an IdentityProvider to use PrincipalNameIdentifier, insert the following NameMapping element into the !IdP config file (idp.xml):

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

The id attribute is a unique identifier for this NameMapping element in the config file. The format attribute value is wholly contrived, so PrincipalNameIdentifier is of little use except for testing purposes.

Note: The GridShib.EmailAddressNameIdentifierMapping is functionally equivalent to the PrincipalNameIdentifier mapping plus it is an implementation of a standard SAML NameIdentifierFormat.

  • No labels