Current File(s): conf/c14n/subject-c14n.xml, conf/c14n/subject-c14n.properties (V4.1+)
Format: Native Spring, Properties (V4.1+)
Overview
Mapping SAML identifiers into a user identity is one of the use cases for Subject Canonicalization. This mechanism is applied when a SAML 1 <NameIdentifier>
or SAML 2 <NameID>
element is passed into the IdP and needs to be mapped back into a username. The most common example is when an AttributeQuery message is received, and the IdP needs to recover the user's identity to pass into the attribute resolver. There are a few additional scenarios where this might happen, but they're substantially less common.
...
In the most unusual cases, V4.1 + adds support for injecting a custom object of your own creation that implements the NameIDDecoder (SAML 2.0) or NameIdentifierDecoder (SAML 1.1) interfaces to fully customize the decoding process. The bean names shibboleth.SAML2Transform.NameIDDecoder and shibboleth.SAML1Transform.NameIdentifierDecoder are reserved for this purpose.
Reference
Localtabgroup |
---|
Properties defined in conf/c14n/subject-c14n.properties are as follows: Name | Type | Default | Description |
---|
idp.c14n.saml.lowercase | Boolean | false | Whether the incoming value should be lower-cased by the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows | idp.c14n.saml.uppercase | Boolean | false | Whether the incoming value should be upper-cased by the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows |
Beans defined in conf/c14n/subject-c14n.xml are as follows: Bean ID | Type | Description |
---|
shibboleth.SAMLSubjectCanonicalizationFlows | List<NameIDCanonicalizationFlowDescriptor> | List of flow descriptors enumerating the canonicalization flows to run on incoming Name Identifiers | shibboleth.NameTransformFormats | List<String> | List of Format values to run the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows against | shibboleth.NameTransformPredicate | Predicate<ProfileRequestContext> | Activation condition for the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows | shibboleth.NameTransforms | List<String,String> | List of regular expression and replacement string pairs to apply to the input to the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows | shibboleth.SAML2Transform.NameIDDecoder 4.1 | NameIDDecoder | Custom decoder to use to implement the "c14n/SAML2Transform" flow's behavior | shibboleth.SAML1Transform.NameIdentifierDecoder 4.1 | NameIdentifierDecoder | Custom decoder to use to implement the "c14n/SAML1Transform" flow's behavior | shibboleth.AbstractSAML1C14NFlowBean shibboleth.AbstractSAML2C14NFlowBean | NameIDCanonicalizationFlowDescriptor | Parent beans for defining additional flow descriptors |
|