Shibboleth Developers

["Tom Scavo" <>]

On 3/5/06, Scott Cantor 
<>
 wrote:
> > So let me see if I understand what you're saying.  You want to extend
> > BaseNameIdentifierMapping with an abstract class that consolidates
> > PrincipalNameIdentifier, X509SubjectNameNameIdentifierMapping,
> > EmailAddressNameIdentifierMapping.  This abstract class would support
> > a generalized template/pattern mechanism similar to what
> > X509SubjectNameNameIdentifierMapping does now.  Then any
> > implementation of a SAML name identifier (except perhaps transient and
> > persistent) would be a simple extension of this abstract class.
> >
> > Is this what you're suggesting?
>
> I think so, yes.

Okay, I think I see how to do this (thanks for the suggestion).  Every
SAML 2.0 name identifier format (except transient and persistent) can
be handled similarly.  For example, X509SubjectName and emailAddress
might be configured as follows:

<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="x509"
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  template="uid=%PRINCIPAL%,o=example.org"
  regex="uid=([^,/]+)"
  qualifier="https://idp.example.org/shibboleth";
  
class="edu.internet2.middleware.shibboleth..X509SubjectNameNameIdentifierMapping"/>

<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="email"
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  
template="%PRINCIPAL%@example.org"
  
regex="([^@]+)@"
  qualifier="https://idp.example.org/shibboleth";
  
class="edu.internet2.middleware.shibboleth..emailAddressNameIdentifierMapping"/>

The qualifier attribute is optional.  In order to make the template
and regex attributes optional, I need a domain (example.org), so we're
back to an old question: where can I get the authoritative,
deployment-wide domain (scope) attribute?

Thanks,
Tom