The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

ResolverPrincipalNameDefinition

Owned by Former user (Deleted)
Last updated: Apr 07, 2011 by jv11Version comment

Principal Name Attribute Definition

The principal name attribute definition exposes the principal name of the user as a single-valued attribute.

Be aware, an authenticated user can have more than one principal name. For example, when authenticating against an LDAP directory with a username and password the user could have a principal name corresponding to their username and one corresponding to the LDAP DN for that user. This attribute definition prefers the username. If the authentication mechanism does not use (or set) a username then this definition simply selects the "first" of an unordered set of principal names. If you need more control over this process you will need to write a custom attribute definition that looks at the javax.security.auth.Subject present in the request context and selects the appropriate principal name for your use case.

Define the Definition

The definition is defined with the element <resolver:AttributeDefinition xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> with the following required attribute:

  • id - assigns a unique, within the resolver, identifier that may be used to reference this definition
Principal Name Attribute Definition
<resolver:AttributeDefinition xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                              id="UNIQUE_ID" />

While this attribute definition can have dependencies, like all other attribute definitions, they are never used. The principal name comes exclusively from internal IdP state.