Issue: NameIdentifier Formats and Implementations
In a GridShib profile, the choice of Shibboleth.NameIdentifierFormat and its implementation (called a Shibboleth.NameIdentifierMapping) is crucial. Since GridShib builds on Shibboleth 1.3 (which itself is based on SAML 1.1), we have the following formats and implementations to choose from:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress- EmailAddressNameIdentifierMapping
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectNameurn:mace:shibboleth:1.0:nameIdentifier- Shibboleth.SharedMemoryShibHandle
- Shibboleth.CryptoShibHandle
The Shibboleth.SharedMemoryShibHandle is a memory-bound, transient handle (what most people refer to when they use the term handle) and as such, is not relevant to all GridShib profiles (such as the MyProxy-first Non-Browser Profile).
On the other hand, a Shibboleth.CryptoShibHandle, which requires no state at the !IdP, is a likely candidate. However, CryptoShibHandle requires shared code and a shared secret.
A custom Format might be defined. For instance, a loosely coupled component (such as !MyProxy) could encrypt the principal name using a public key of the !IdP. Although use of public key cryptography does not require shared code or a shared secret, it does assume MyProxy has access to the public key. Also, since no such code exists, we would have to write it.
An implementation of a custom Format is Shibboleth.PrincipalNameIdentifier. Shibboleth uses this NameIdentifierMapping for testing purposes. Nobody considers it useful for any other purpose.
Any given NameIdentifier implementation can be categorized as follows:
- transient vs. persistent
- transparent vs. opaque
- reusable vs. throw-away
If a transient Format is used, the timeout associated with the NameIdentifier SHOULD be equal to the lifetime of the certificate. This is of course a problem since no entity but the !IdP knows the timeout associated with a transient !NameIdentifier.
If a transparent Format is used, no anonymity is provided. Also, a Grid SP may be able to phish the !IdP if the NameIdentifier is transparent. If a persistent Format is used, a Grid SP will be able to phish. If an opaque Format is used, shared state between MyProxy and the !IdP may be required.
For example, CryptoShibHandle (transient, opaque, reusable) requires shared code and a shared secret. Since CryptoShibHandle is transient, MyProxy SHOULD ensure that the lifetimes of the handle and the certificate are equal. As another example, emailAddress (persistent, transparent, reusable) provides no anonymity and does not prevent phishing.