Shibboleth Developers

["Scott Cantor" <>]

> Sure.  Each format handler overrides checkValidity() (among other
> things), which allows the following line to appear (repeatedly) in
> PrincipalNameIdentifierMapping:
> 
> nameId.checkValidity();
> 
> Basically, all of the syntax checking is offloaded to the 
> format handler.

Ok, that I get.

> If you're saying there's another way to do it without using
> SAMLNameIdentifier format handlers, I don't doubt it.  The hooks were
> there in OpenSAML 1.1 and I exploited them, that's all.

I was confused about what the connection was, and validity checking is about
the only one I could think of, so now I get it.

> I have no idea what you're doing in OpenSAML 2.0, so I can't comment
> on this.  It would be a shame to lose this capability, however.

I don't know what "this" is.

Validity checking is vastly better now, and doesn't require implementing
anything like this, it just requires building validation plugins that
enforce any rule you want. They're outside the core implementation, so they
can be layered however you want.

> The big benefit is to the deployer since now there's just one
> configuration setting that applies across the board to a handful of
> name identifier formats.

That part is my point...it has nothing to do with validity checks and
doesn't require anything from OpenSAML. That was what confused me.

-- Scott