Class EmailAddressNameIdentifierMapping

Like Shibboleth.PrincipalNameIdentifier, this class is a simple implementation of interface Shibboleth.NameIdentifierMapping:

package edu.internet2.middleware.shibboleth.common.provider;
public class EmailAddressNameIdentifierMapping extends GridShibBaseNameIdentifierMapping;

Class EmailAddressNameIdentifierMapping is an implementation of urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress , which is a transparent, persistent identifier defined by SAML 1.1. Note that the spec does not require such an identifier to be a resolvable email address.

An emailAddress identifier is of the form

  addr-spec := local-part@domain

where addr-spec is defined in RFC 2822. For our purposes, local-part is the local principal name while domain is specified in the NameMapping element below.

To configure the use of this identifier, an !IdP would insert a suitably configured NameMapping element into its config file (idp.xml):

<!-- EmailAddressNameIdentifierMapping configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  domain="example.org"
  class="edu.internet2.middleware.shibboleth.common.provider.EmailAddressNameIdentifierMapping"/>

The domain attribute is optional. If the domain attribute is omitted, all principal names MUST be fully qualified. On the other hand, if the domain attribute is present, a principal name MAY be fully qualified but the domain of a fully qualified principal name MUST NOT be equal to the value of the domain attribute.

TODO Register a class that enforces the emailAddress format specified by SAML 1.1, which MUST comply with RFC 2822.

TODO Extend the above implementation to support opaque identifiers. Instead of setting the local-part to the local principal name, we could set it to an opaque, persistent value similar to eduPersonTargetedID . In this case, the NameMapping configuration would be

<!-- EmailAddressNameIdentifierMapping configuration (opaque identifiers) -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="..."
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  domain="example.org"
  opaque="true"
  class="edu.internet2.middleware.shibboleth.common.provider.EmailAddressNameIdentifierMapping"/>

The default value of the opaque attribute is "false" , that is, emailAddress identifiers are transparent by default.

  • No labels