This page didn't survive the conversion process and is no longer very usable.

Zero or more NameMapping elements (in idp.xml) call out the name mappings recognized by a Shibboleth deployment. The NameMapping element supports the following attributes:

<table cellpadding="5" cellspacing="0" border="1">
  <tr>
     <td align="left" colspan="4"><strong>Subclasses of <tt>BaseNameIdentifierMapping</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">Attribute Name</th>
     <th align="left">Type</th>
     <th align="center">Required</th>
     <th align="left">Default</th>
  </tr>
  <tr>
     <td align="left"><tt>id</tt></td>
     <td align="left">ID</td>
     <td align="center">No</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>format</tt></td>
     <td align="left">URI</td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left" colspan="4"><strong>Class <tt>X509SubjectNameNameIdentifierMapping</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">Attribute Name</th>
     <th align="left">Type</th>
     <th align="center">Required</th>
     <th align="left">Default</th>
  </tr>
  <tr>
     <td align="left"><tt>regex</tt></td>
     <td align="left">String</td>
     <td align="center">No</td>
     <td align="left"><tt>.*uid=\(\[^,/\]+\).*</tt></td>
  </tr>
  <tr>
     <td align="left"><tt>qualifier</tt></td>
     <td align="left">URI</td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>internalNameContext</tt></td>
     <td align="left">String</td>
     <td align="center">Yes </td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left" colspan="4"><strong>Subclasses of <tt>AQHNameIdentifierMapping</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">Attribute Name</th>
     <th align="left">Type</th>
     <th align="center">Required</th>
     <th align="left">Default</th>
  </tr>
  <tr>
     <td align="left"><tt>handleTTL</tt></td>
     <td align="left">long</td>
     <td align="center">No</td>
     <td align="left"><tt>1800</tt></td>
  </tr>
  <tr>
     <td align="left" colspan="4"><strong>All implementations of <tt>NameIdentifierMapping</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">Attribute Name</th>
     <th align="left">Type</th>
     <th align="center">Required</th>
     <th align="left">Default</th>
  </tr>
  <tr>
     <td align="left"><tt>type</tt></td>
     <td align="left">String</td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>class</tt></td>
     <td align="left">String</td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
</table>

Note: One and only one of the type or class attributes is required.

A brief description of each attribute follows:

A NameMapping element of type CryptoHandleGenerator (equivalent to class CryptoShibHandle) contains a number of child elements:

<table cellpadding="5" cellspacing="0" border="1">
  <tr>
     <td align="left" colspan="4"><strong>Class <tt>CryptoShibHandle</tt>:</strong></td>
  </tr>
  <tr>
     <th align="left">Element Name</th>
     <th align="center">Required</th>
     <th align="left">Default</th>
  </tr>
  <tr>
     <td align="left"><tt>KeyStorePath</tt></td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>KeyStorePassword</tt></td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>KeyStoreKeyAlias</tt></td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>KeyStoreKeyPassword</tt></td>
     <td align="center">Yes</td>
     <td align="left"></td>
  </tr>
  <tr>
     <td align="left"><tt>KeyStoreType</tt></td>
     <td align="center">No</td>
     <td align="left"><tt>JCEKS</tt></td>
  </tr>
  <tr>
     <td align="left"><tt>Cipher</tt></td>
     <td align="center">No</td>
     <td align="left"><tt>DESede/CBC/PKCS5Padding</tt></td>
  </tr>
  <tr>
     <td align="left"><tt>MAC</tt></td>
     <td align="center">No</td>
     <td align="left"><tt>HmacSHA1</tt></td>
  </tr>
</table>

See the Shibboleth Identity Provider Deployment Guide for more detail regarding CryptoShibHandle. See http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html for general information about cryptographic implementations, conventions and syntax.

Some examples of NameMapping elements are given below:

<!-- SharedMemoryShibHandle configuration (default) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="SharedMemoryShibHandle"/>

<!-- CryptoShibHandle configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:mace:shibboleth:1.0:nameIdentifier"
  handleTTL="1800"
  type="CryptoHandleGenerator">
  <KeyStorePath>...</KeyStorePath>
  <KeyStorePassword>...</KeyStorePassword>
  <KeyStoreKeyAlias>...</KeyStoreKeyAlias>
  <KeyStoreKeyPassword>...</KeyStoreKeyPassword>
  <KeyStoreType>JCEKS</KeyStoreType>  <!-- default -->
  <Cipher>DESede/CBC/PKCS5Padding</Cipher>  <!-- default -->
  <MAC>HmacSHA1</MAC>  <!-- default -->
</NameMapping

<!-- PrincipalNameIdentifier configuration (test) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn-x:test:NameIdFormat1"
  type="Principal"/>

<!-- X509SubjectNameNameIdentifierMapping configuration (e-auth) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  regex=".*uid=([^,/]+).*"
  qualifier="https://idp.org/shibboleth"
  internalNameContext="uid=%PRINCIPAL%/e-auth"
  class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>

Only one NameMapping element per format is allowed. If you wanted to associate a single NameIdentifierFormat with multiple mappings, a custom MappingManager must be written.

<!-- hypothetical configuration (e.g.) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.uiuc.ncsa.shibboleth.plugins.MappingManager">
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 regex=".*uid=([^,/]+).*"
	 qualifier="https://idp.org/shibboleth"
	 internalNameContext="uid=%PRINCIPAL%/e-auth"
	 class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
  <NameMapping
	 id="..."
	 format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
	 class="edu.uiuc.ncsa.shibboleth.plugins.X509SubjectNameNameIdentifierMapping"/>
</NameMapping>

Presumably, the MappingManager invokes each of the nested mappings (in order) until the mapping succeeds.

For example, suppose an attribute query is sent to the AA with the following NameIdentifier element:

<saml:NameIdentifier
  Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  NameQualifier="https://idp.org/shibboleth">
  <!-- insert X.509 Subject DN here -->
</saml:NameIdentifier>

The AA consults origin.xml and finds a NameMapping element such as the last one above. Since the value of the Format attribute of the NameIdentifier element matches the value of the format attribute of the containing NameMapping element, the AA invokes the MappingManager as given by the class attribute. The MappingManager then applies each of the nested mappings in turn.

-- Main.TomScavo - 13 Apr 2005