Shibboleth Developers

[Tom Scavo <>]

On 4/29/05, Walter Hoehn 
<>
 wrote:
> 
> On Apr 20, 2005, at 4:48 PM, Tom Scavo wrote:
> 
> > I'm trying to implement a name mapping plugin, a somewhat more
> > generalized version of X509SubjectNameNameIdentifierMapping.  The
> > latter requires a qualifier attribute in the NameMapping config
> > element, while other plugins utilize a method called verifyQualifier
> > defined in BaseNameIdentifierMapping that examines the NameQualifier
> > attribute of the NameIdentifier element.  I've always wondered about
> > this disconnect, but I ignored it and forged ahead.
> 
> This is because I wrote the plugin for the E-Authentication
> compatibility project.  They want the name qualifier to be something
> besides what shib usually uses.  As you said, I don't imagine that this
> plugin is the most generally useful for most shibboleth deployments.

So it's unlikely that any deployment is using this plugin...I figured
as much but I am trying to maintain compatibility with it nonetheless.
 I suppose a better approach would be the "cascading plugin" that
Scott and I talked about earlier.  I'm not quite there yet...

> > Now I've tried to remove the dependency on the qualifier attribute
> > with no success.  For some reason, at the time the NameIdentifier
> > object is created, the IdP providerId (the usual value of
> > NameQualifier) is not available to the plugin.  I don't know why this
> > is.
> 
> Well, no.  There is not single providerId.  It totally depends on who
> you are talking to at request time.

Sorry, I didn't do a good job of explaining the issue.  The expression

  idp.getProviderId()

returns null within method getNameIdentifier (previously called
getNameIdentifierName).  Here 'idp' is an instance of IdentityProvider
passed to getNameIdentifier.  Is this a feature or a bug? :-)

Thanks,
Tom