Class EmailAddressNameIdentifierMapping
Like Shibboleth.PrincipalNameIdentifier, this class is a simple implementation of interface Shibboleth.NameIdentifierMapping:
package edu.internet2.middleware.shibboleth.common.provider; public class EmailAddressNameIdentifierMapping extends GridShibBaseNameIdentifierMapping;
Class EmailAddressNameIdentifierMapping
is an implementation of urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
, which is a transparent, persistent identifier defined by SAML 1.1. Note that the spec does not require such an identifier to be a resolvable email address.
An emailAddress
identifier is of the form
addr-spec := local-part@domain
where addr-spec
is defined in RFC 2822. For our purposes, local-part
is the local principal name while domain
is specified in the NameMapping
element below.
To configure the use of this identifier, an !IdP would insert a suitably configured NameMapping
element into its config file (idp.xml):
<!-- EmailAddressNameIdentifierMapping configuration --> <NameMapping xmlns="urn:mace:shibboleth:namemapper:1.0" id="..." format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" domain="example.org" class="edu.internet2.middleware.shibboleth.common.provider.EmailAddressNameIdentifierMapping"/>
The domain
attribute is optional. If the domain
attribute is omitted, all principal names MUST be fully qualified. On the other hand, if the domain
attribute is present, a principal name MAY be fully qualified but the domain
of a fully qualified principal name MUST NOT be equal to the value of the domain
attribute.
TODO Register a class that enforces the emailAddress
format specified by SAML 1.1, which MUST comply with RFC 2822.
TODO Extend the above implementation to support opaque identifiers. Instead of setting the local-part
to the local principal name, we could set it to an opaque, persistent value similar to eduPersonTargetedID
. In this case, the NameMapping
configuration would be
<!-- EmailAddressNameIdentifierMapping configuration (opaque identifiers) --> <NameMapping xmlns="urn:mace:shibboleth:namemapper:1.0" id="..." format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" domain="example.org" opaque="true" class="edu.internet2.middleware.shibboleth.common.provider.EmailAddressNameIdentifierMapping"/>
The default value of the opaque
attribute is "false"
, that is, emailAddress
identifiers are transparent by default.