Child pages
  • NameMapping

The Shibboleth 1.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Zero or more NameMapping elements (in idp.xml) call out the name mappings recognized by a Shibboleth deployment. The NameMapping element supports the following attributes:

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Note: One and only one of the type or class attributes is required.

A brief description of each attribute follows:

  • id: a unique ID for this NameMapping element
  • format: a NameIdentifierFormat associated with this NameMapping element
  • regex: a regular expression used to extract the principal name from the DN in the getPrincipal method of class X509SubjectNameNameIdentifierMapping
  • qualifier: a URI, which is matched against the value of the NameQualifier attribute (of the <saml:NameIdentifier> element) in the getPrincipal method of class X509SubjectNameNameIdentifierMapping
  • internalNameContext: a string template containing one or more %PRINCIPAL% placeholders used to construct a SAMLNameIdentifier object in method getNameIdentifierName of class X509SubjectNameNameIdentifierMapping
  • handleTTL: the time-to-live (TTL) of the handle in seconds
  • type: an alias pre-registered with the NameMapper class (see NameIdentifierMapping for possible values)
  • class: the fully qualified class name of an implementation of NameIdentifierMapping

A NameMapping element of type CryptoHandleGenerator (equivalent to class CryptoShibHandle) contains a number of child elements:

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Class

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

CryptoShibHandle

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

:

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Element Name

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Required

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Default

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

KeyStorePath

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Yes

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

KeyStorePassword

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Yes

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

KeyStoreKeyAlias

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Yes

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

KeyStoreKeyPassword

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Yes

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

KeyStoreType

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

No

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

JCEKS

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Cipher

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

No

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

DESede/CBC/PKCS5Padding

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

MAC

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

No

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

HmacSHA1

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.


Error rendering macro 'html'

Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list.

See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle . See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html for general information about cryptographic implementations, conventions and syntax.

Some examples of NameMapping elements are given below:

<!-- SharedMemoryShibHandle configuration (default) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="SharedMemoryShibHandle"/>

<!-- CryptoShibHandle configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="CryptoHandleGenerator">
  <KeyStorePath>...</KeyStorePath>
  <KeyStorePassword>...</KeyStorePassword>
  <KeyStoreKeyAlias>...</KeyStoreKeyAlias>
  <KeyStoreKeyPassword>...</KeyStoreKeyPassword>
  <KeyStoreType>JCEKS</KeyStoreType>  <!-- default -->
  <Cipher>DESede/CBC/PKCS5Padding</Cipher>  <!-- default -->
  <MAC>HmacSHA1</MAC>  <!-- default -->
</NameMapping

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

<!-- X509SubjectNameNameIdentifierMapping configuration (e-auth) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  regex=".*uid=([^,/]+).*"
  qualifier="https://idp.org/shibboleth"
  internalNameContext="uid=%PRINCIPAL%/e-auth"
  class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>

Only one NameMapping element per format is allowed. If you wanted to associate a single NameIdentifierFormat with multiple mappings, a custom MappingManager must be written.

<!-- hypothetical configuration (e.g.) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.uiuc.ncsa.shibboleth.plugins.MappingManager">
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 regex=".*uid=([^,/]+).*"
	 qualifier="https://idp.org/shibboleth"
	 internalNameContext="uid=%PRINCIPAL%/e-auth"
	 class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 class="edu.uiuc.ncsa.shibboleth.plugins.X509SubjectNameNameIdentifierMapping"/>
</NameMapping>

Presumably, the MappingManager invokes each of the nested mappings (in order) until the mapping succeeds.

For example, suppose an attribute query is sent to the AA with the following NameIdentifier element:

<saml:NameIdentifier
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  NameQualifier="https://idp.org/shibboleth">
  <!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>

The AA consults origin.xml and finds a NameMapping element such as the last one above. Since the value of the Format attribute of the NameIdentifier element matches the value of the format attribute of the containing NameMapping element, the AA invokes the MappingManager as given by the class attribute. The MappingManager then applies each of the nested mappings in turn.

-- Main.TomScavo - 13 Apr 2005

  • No labels