Shibboleth Developers

[Tom Scavo <>]

On Wed, 16 Mar 2005 11:04:43 -0500, Scott Cantor 
<>
 wrote:
> > Suppose an existing IdP already has a mapping for the X509SubjectName
> > format.  Now GridShib comes along and wants to map that format to its
> > plugin.  From what I hear you saying, the two will not coexist.
> 
> That's true. Why would this be a big problem? The issue of mapping DNs to
> principals has nothing to do with the external use of the DN, it's about how
> the DN relates to the local principal. It should be use-case independent.

It's not.  Grid certs are issued independent of the user's preferred
IdP.  A typical DN might be

/c=us/o=NCSA/cn=Tom Scavo

yet my perferred IdP might be uiuc.edu.

> > So how does LionShare solve this problem?  I'm guessing, but LionShare
> > probably uses the CryptoHandleGenerator mapping type.  Does this mean
> > that the AA can not also support ordinary shib handles?
> 
> CryptoHandles *are* ordinary shib handles. 

That's my point.  How does the AA know whether or not a particular
handle needs to be decrypted?  Looking at the NameMapper class, the
answer seems to depend on the NameMapping element in origin.xml:

<!-- SharedMemoryShibHandle -->
<NameMapping
 xmlns="urn:mace:shibboleth:namemapper:1.0"
 id="..."
 format="urn:mace:shibboleth:1.0:nameIdentifier"
 type="SharedMemoryShibHandle"
 handleTTL="1800"/>

<!-- CryptoShibHandle -->
<NameMapping
 xmlns="urn:mace:shibboleth:namemapper:1.0"
 id="..."
 format="urn:mace:shibboleth:1.0:nameIdentifier"
 type="CryptoHandleGenerator"
 handleTTL="1800"/>

If only one of these elements is allowed, it follows that only one
interpretation of a handle is supported by any given AA.

I apologize for belaboring this point, but I'm afraid I still don't
get it.  I must be missing something very basic..

Thanks,
Tom