Shibboleth Developers

At 4:25 PM -0500 11/16/05, Tom Scavo wrote:
> On 11/16/05, 
>
>  
> <>
>  wrote:
> >  The primary difference between a
> >  "standard" Authn implementation using REMOTE_USER and a Shib
> >  implementation would be some thinking about how to handle REMOTE_USER
> >  values that looked like 
> > "user@domain".
>
> Ouch.  I just finished a name mapping plugin for emailAddress that
> essentially concatenates REMOTE_USER with "@" plus a configured domain
> string yielding precisely 
> "user@domain".
>   A fully qualified
> REMOTE_USER value breaks this plugin.  (Same would be true of a name
> mapping plugin that naively implemented the SAML 2.0 kerberos name
> identifier, btw.)  I guess I could (and should) check REMOTE_USER to
> see if it already satisfies the syntax requirements of emailAddress
> before attempting to construct one.  (Darn, I thought I was done with
> that plugin. :)

I think the shib distribution defaults to mapping EPPN to 
REMOTE_USER. For instance, that's how the Shib Wiki works....

> More importantly, thinking out loud, we (GridShib) need to be careful
> about hidden assumptions in certain profiles that separate the
> production of the NameIdentifier from its consumption.  The best
> approach of course is to let Shib handle both ends of the name
> mapping.  (How does LionShare avoid this problem?)

LionShare strictly constrains the types of names that can be used.....