Class X509SubjectNameNameIdentifierMapping
This class is an implementation of interface Shibboleth.NameIdentifierMapping:
package edu.internet2.middleware.shibboleth.common.provider; public class X509SubjectNameNameIdentifierMapping extends GridShibBaseNameIdentifierMapping;
Class X509SubjectNameNameIdentifierMapping
is an implementation of urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
, which is a standard Shibboleth.NameIdentifierFormat defined by SAML 1.1. The implementation produces DNs algorithmically, and so the resulting identifiers are persistent insofar as the variable quantities (such as =%PRINCIPAL%=) used to compute the DNs are persistent.
To configure the use of this implementation, an !IdP would insert a suitably configured NameMapping
element into its config file (idp.xml):
<!-- X509SubjectNameNameIdentifierMapping configuration --> <NameMapping xmlns="urn:mace:shibboleth:namemapper:1.0" id="x509" format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" regex="uid=([^,/]+)" qualifier="https://idp.example.org/shibboleth" internalNameContext="uid=%PRINCIPAL%" class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>
The default implementation of X509SubjectNameNameIdentifierMapping
is somewhat lacking, however. In the interim, we have provided GridShibX509SubjectNameNameIdentifierMapping
:
<!-- GridShibX509SubjectNameNameIdentifierMapping configuration --> <NameMapping xmlns="urn:mace:shibboleth:namemapper:1.0" id="x509" format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" class="edu.internet2.middleware.shibboleth.common.provider.GridShibX509SubjectNameNameIdentifierMapping"/>
The omitted attributes default to reasonable values, otherwise GridShibX509SubjectNameNameIdentifierMapping
is wholly backwards compatible with its predecessor.
TODO Deprecate attribute internalNameContext
. Change attribute name to template
.
TODO Register a class that enforces the X509SubjectName
format specified by SAML 1.1, which mirrors the syntax of the XML Digital Signature element X509SubjectName
. XML-DSig says that X509SubjectName
SHOULD comply with RFC 2253, so the class MUST enforce the XML-DSig encoding rules while the implementation enforces RFC 2253. (Search the XML-DSig public archives for string "X509SubjectName" to understand the issues involved.)