During the execution of a BrowserProfile, when the user authenticates at the SSO service, the IdentityProvider typically issues the user a special type of NameIdentifier called a ShibHandle in conjunction with the authentication assertion. At that point, the !IdP may cache the identifier so it can subsequently map that identifier to the actual principal upon request.
In Shibboleth, the identifier and the principal are represented by objects of type
LocalPrincipal , respectively:
SAMLNameIdentifier is an OpenSAML construct while
java.security.Principal . As users enter and leave the system, a one-to-one correspondence between
LocalPrincipal is maintained by the !IdP.
Shibboleth's code handling of this mapping is based on the
The primary methods of the interface are
getNameIdentifier , which represent the desired mapping between
The abstract class
BaseNameIdentifierMapping is the superclass of all implementations of the
BaseNameIdentifierMapping implements methods
getNameIdentifierFormat (which correspond to a pair of configuration options) but does not implement the methods
getNameIdentifier (which are left to subclasses).
The simplest implementation of
PrincipalNameIdentifier , which maps the value of the
<saml:NameIdentifier> element directly to a local principal of the same name.
PrincipalNameIdentifier mapping is used whenever the principal name and the value of the
<saml:NameIdentifier> element are identical.
Another implementation of
X509SubjectNameNameIdentifierMapping was originally developed for e-authentication conformance testing:
X509SubjectNameNameIdentifierMapping assumes the principal name is embedded in the DN. In the
getPrincipal method, the principal name is extracted from the DN by regular expression matching.
X509SubjectNameNameIdentifierMapping are very desirable in practice since they provide no privacy. To ensure privacy, an opaque identifier called a ShibHandle is used. Shibboleth handles are transient, that is, they have a relatively short lifetime. The lifetime of a Shibboleth handle is governed by a configuration option called
handleTTL (handle time-to-live), which is a member of the abstract class
Two important classes (
CryptoShibHandle=) extend =AQHNameIdentifierMapping .
The default implementation of
NameIdentifierMapping is called
SharedMemoryShibHandle , the Shibboleth workhorse implementation of
NameIdentifierMapping , defines a memory cache that is maintained as handles are generated or expired.
The most complicated implementation of
NameIdentifierMapping is called
CryptoShibHandle concatenates an initialization vector, an HMAC, an expiration time, and a principal name, which is then encrypted, encoded and inserted into the
<saml:NameIdentifier> element. (On the surface, an instance of
CryptoShibHandle looks just like an ordinary ShibHandle.) Later the AA decodes and decrypts the value of the
<saml:NameIdentifier> element to recover the principal name. No caching is required in this case.
CryptoShibHandle presupposes a number of configuration options:
Reasonable defaults are provided for the optional config options listed above.
NameMapper incorporates all of the above (except =X509SubjectNameNameIdentifierMapping=) to produce a fully functional implementation:
NameMapper loads a default NameMapping element (if no such element is defined in the !IdP config file idp.xml). The default mapping is
handleTTL set to 1800 seconds.
NameMapper defines two new configuration options called
class . Each NameMapping element in idp.xml must have exactly one of the
class attributes. A
type attribute refers to one of the three aliases (described below). A
class attribute is the fully qualified class name of an implementation of