Skip to Content.
Sympa Menu

shibboleth-dev - Re: PrincipalNameIdentifierMapping

Subject: Shibboleth Developers

List archive

Re: PrincipalNameIdentifierMapping


Chronological Thread 
  • From: "Tom Scavo" <>
  • To:
  • Subject: Re: PrincipalNameIdentifierMapping
  • Date: Tue, 23 May 2006 19:42:36 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MCHDv3WECB+VFwWjNWQH/kyRlpt0F+Rcmxl+Pww3GHxAe0OALfwHHSu+OwNgGk8KX86GxDjZACVLQZvDKM6nwa/fxSW4jiEi/EZRf+ZQIPJ8BM1is1okOsZscl9KezP6d08XRXbOLBTHxHN7mak2RJojd5b5LkR0tWyhZ7oAA54=

On 5/23/06, Scott Cantor
<>
wrote:

> It would be a shame to lose this capability, however.

I don't know what "this" is.

The ability to collapse the majority of SAMLNameIdentifier formats
into a single class/config option. The only ones not covered are
transient and persistent, which are different beasts altogether.

Validity checking is vastly better now, and doesn't require implementing
anything like this, it just requires building validation plugins that
enforce any rule you want. They're outside the core implementation, so they
can be layered however you want.

I'm not sure if you're talking SAML or OpenSAML, but if you are
claiming that PrincipalNameIdentifierMapping is more easily
implemented in 2.0, then I believe you. :-)

> The big benefit is to the deployer since now there's just one
> configuration setting that applies across the board to a handful of
> name identifier formats.

That part is my point...it has nothing to do with validity checks and
doesn't require anything from OpenSAML. That was what confused me.

So are you suggesting that PrincipalNameIdentifierMapping could be
implemented in Shib 1.3 without using the hooks from OpenSAML 1.1? I
don't doubt you, but I don't see how to do it, I'm afraid.

Tom



Archive powered by MHonArc 2.6.16.

Top of Page