Shibboleth Developers

[Tom Scavo <>]

On Tue, 15 Mar 2005 11:30:15 -0500, Scott Cantor 
<>
 wrote:
> > To use mapping type CryptoHandleGenerator (an alias for
> > edu.internet2.middleware.shibboleth.hs.provider.CryptoShibHandle),
> > presumably the Format attribute of the NameIdentifier element and
> > format attribute of the NameMapping element must be set to some other
> > value.  What is that value (or what am I missing)?
> 
> You're missing the fact that you can't do this now. You can't have multiple
> mappings for the same format, and using a different format is wrong. In 2.0,
> both would be transient.

In 2.0, the appropriate Format would be

urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted

would it not?  Isn't this what Booz-Allen-Hamilton is using?

> If the subject is a
> DN, then there's already a Format for that. Your goal is to write a mapping
> plugin for that Format that converts the SAML identifier into whatever the
> internal principal name needs to be. And then you install that.

Exactly.  So what does the corresponding NameMapping element look like?

<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.uiuc.ncsa.shibboleth.X509SubjectNameNameIdentifierMapping"/>

The problem with that is other attribute requesters will need a
separate AA endpoint to use the X509SubjectName format.

> I can only speculate, but I would guess that Walter will make the mapping
> configuration endpoint specific, such that if you needed to support
> alternate mappings for a given format, you could discriminate them based on
> endpoint. In the rare cases where that's even necessary, anyway.

GridShib is one of these "rare cases", I think.

Thanks for helping me work through this,
Tom