Shibboleth Developers

["Scott Cantor" <>]

> Suppose an existing IdP already has a mapping for the X509SubjectName
> format.  Now GridShib comes along and wants to map that format to its
> plugin.  From what I hear you saying, the two will not coexist.

That's true. Why would this be a big problem? The issue of mapping DNs to
principals has nothing to do with the external use of the DN, it's about how
the DN relates to the local principal. It should be use-case independent.

> So how does LionShare solve this problem?  I'm guessing, but LionShare
> probably uses the CryptoHandleGenerator mapping type.  Does this mean
> that the AA can not also support ordinary shib handles?

CryptoHandles *are* ordinary shib handles. There is no reason why anybody
running the AA to support LionShare wouldn't simply use it. You pretty much
have to anyway, it's the easiest way to cluster the system, far better than
storing the mappings in a database.

-- Scott