Shibboleth Developers

["Tom Scavo" <>]

On 5/23/06, Scott Cantor 
<>
 wrote:
> > What makes this possible is the SAMLNameIdentifier format handler
> > concept in OpenSAML 1.1.
>
> Could you explain the connection?

Sure.  Each format handler overrides checkValidity() (among other
things), which allows the following line to appear (repeatedly) in
PrincipalNameIdentifierMapping:

nameId.checkValidity();

Basically, all of the syntax checking is offloaded to the format handler.

> There doesn't seem to be any real
> dependency on having custom format handlers in OpenSAML and doing this
> generic identifier <-> XML mapping function in Shibboleth.

If you're saying there's another way to do it without using
SAMLNameIdentifier format handlers, I don't doubt it.  The hooks were
there in OpenSAML 1.1 and I exploited them, that's all.

> So much so that since the main reason for having those custom handlers in
> OpenSAML 1 was validating the identifier syntax, I don't see much reason to
> have that support in 2. We have a validation layer that exists apart from
> the core classes that will handle that sort of thing more flexibly, I think.

I have no idea what you're doing in OpenSAML 2.0, so I can't comment
on this.  It would be a shame to lose this capability, however.  The
big benefit is to the deployer since now there's just one
configuration setting that applies across the board to a handful of
name identifier formats.  In fact, if there were a scope (domain)
config setting in Shibboleth, the deployer wouldn't have to mess with
NameMapping at all in a test environment.

Tom