Class X509SubjectNameNameIdentifierMapping

This class is an implementation of interface Shibboleth.NameIdentifierMapping:

package edu.internet2.middleware.shibboleth.common.provider;
public class X509SubjectNameNameIdentifierMapping extends GridShibBaseNameIdentifierMapping;

Class X509SubjectNameNameIdentifierMapping is an implementation of urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName , which is a standard Shibboleth.NameIdentifierFormat defined by SAML 1.1. The implementation produces DNs algorithmically, and so the resulting identifiers are persistent insofar as the variable quantities (such as =%PRINCIPAL%=) used to compute the DNs are persistent.

To configure the use of this implementation, an !IdP would insert a suitably configured NameMapping element into its config file (idp.xml):

<!-- X509SubjectNameNameIdentifierMapping configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="x509"
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  regex="uid=([^,/]+)"
  qualifier="https://idp.example.org/shibboleth"
  internalNameContext="uid=%PRINCIPAL%"
  class="edu.internet2.middleware.shibboleth.common.provider.X509SubjectNameNameIdentifierMapping"/>

The default implementation of X509SubjectNameNameIdentifierMapping is somewhat lacking, however. In the interim, we have provided GridShibX509SubjectNameNameIdentifierMapping :

<!-- GridShibX509SubjectNameNameIdentifierMapping configuration -->
<NameMapping
  xmlns="urn:mace:shibboleth:namemapper:1.0"
  id="x509"
  format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
  class="edu.internet2.middleware.shibboleth.common.provider.GridShibX509SubjectNameNameIdentifierMapping"/>

The omitted attributes default to reasonable values, otherwise GridShibX509SubjectNameNameIdentifierMapping is wholly backwards compatible with its predecessor.

TODO Deprecate attribute internalNameContext . Change attribute name to template .

TODO Register a class that enforces the X509SubjectName format specified by SAML 1.1, which mirrors the syntax of the XML Digital Signature element X509SubjectName . XML-DSig says that X509SubjectName SHOULD comply with RFC 2253, so the class MUST enforce the XML-DSig encoding rules while the implementation enforces RFC 2253. (Search the XML-DSig public archives for string "X509SubjectName" to understand the issues involved.)