Shibboleth Developers

["Tom Scavo" <>]

On 5/23/06, Scott Cantor 
<>
 wrote:
> > It would be a shame to lose this capability, however.
>
> I don't know what "this" is.

The ability to collapse the majority of SAMLNameIdentifier formats
into a single class/config option.  The only ones not covered are
transient and persistent, which are different beasts altogether.

> Validity checking is vastly better now, and doesn't require implementing
> anything like this, it just requires building validation plugins that
> enforce any rule you want. They're outside the core implementation, so they
> can be layered however you want.

I'm not sure if you're talking SAML or OpenSAML, but if you are
claiming that PrincipalNameIdentifierMapping is more easily
implemented in 2.0, then I believe you. :-)

> > The big benefit is to the deployer since now there's just one
> > configuration setting that applies across the board to a handful of
> > name identifier formats.
>
> That part is my point...it has nothing to do with validity checks and
> doesn't require anything from OpenSAML. That was what confused me.

So are you suggesting that PrincipalNameIdentifierMapping could be
implemented in Shib 1.3 without using the hooks from OpenSAML 1.1?  I
don't doubt you, but I don't see how to do it, I'm afraid.

Tom