Shibboleth Developers

[Walter Hoehn <>]

On Apr 20, 2005, at 4:48 PM, Tom Scavo wrote:

> I'm trying to implement a name mapping plugin, a somewhat more
> generalized version of X509SubjectNameNameIdentifierMapping.  The
> latter requires a qualifier attribute in the NameMapping config
> element, while other plugins utilize a method called verifyQualifier
> defined in BaseNameIdentifierMapping that examines the NameQualifier
> attribute of the NameIdentifier element.  I've always wondered about
> this disconnect, but I ignored it and forged ahead.

This is because I wrote the plugin for the E-Authentication 
compatibility project.  They want the name qualifier to be something 
besides what shib usually uses.  As you said, I don't imagine that this 
plugin is the most generally useful for most shibboleth deployments.

> Now I've tried to remove the dependency on the qualifier attribute
> with no success.  For some reason, at the time the NameIdentifier
> object is created, the IdP providerId (the usual value of
> NameQualifier) is not available to the plugin.  I don't know why this
> is.

Well, no.  There is not single providerId.  It totally depends on who 
you are talking to at request time.

-Walter