...
Table of Contents |
---|
Overview
V3 includes a concept called Subject Canonicalization, a process by which the IdP turns a non-simple representation of a subject identity (usually that of a user) into a simple usernameMapping SAML identifiers into a user identity is one of the use cases for Subject Canonicalization. This mechanism is applied when a SAML 1 <NameIdentifier>
or SAML 2 <NameID>
element is passed into the IdP and needs to be mapped back into a username. The most common example is when an AttributeQuery message is received, and the IdP needs to recover the user's identity to pass into the attribute resolver. Subject Canonicalization is implemented using Spring Web Flow. Each method of canonicalizing "something" There are a few additional scenarios where this might happen, but they're substantially less common.
Each method of mapping SAML-carried identifiers into a username is implemented as a subflow and described using a descriptor bean that tells the IdP how to run that flow. The supplied flows handle all of the standard use cases for turning SAML Name Identifiers back into usernames, and little or no configuration is generally needed.
...
In the majority of cases, you shouldn't need to add to this list of flows, but if you were to build some kind of custom flow that perhaps relied on a database web service or something of that nature, this is where it would be registered.
...
In the event that this is required, the requires required components for this are already in place and just need to be turned on and configured by adjusting one or more of the other beans toward the end of the file.
...
Bean ID | Type | Function | |
---|---|---|---|
shibboleth.SAMLSubjectCanonicalizationFlows | List<NameIDCanonicalizationFlowDescriptor> | List of flow descriptors enumerating the canonicalization flows to run on incoming Name Identifiers | |
shibboleth.NameTransformFormats | List<String> | List of Format values to run the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows against | |
shibboleth.NameTransformPredicate | Predicate<ProfileRequestContext> | Activation condition for the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows | |
shibboleth.NameTransforms | List<String,String> | List of regular expression and replacement string pairs to apply to the input to the "c14n/SAML2Transform" and "c14n/SAML1Transform" flows | |
shibboleth.AbstractSAML1C14NFlowBean shibboleth.AbstractSAML2C14NFlowBean | NameIDCanonicalizationFlowDescriptor | Template beans for defining additional flow descriptors |
V2 Compatibility
In V2, the process of mapping SAML name identifiers back into usernames was managed using attribute-resolver.xml and <PrincipalConnector>
plugins.
...