InvalidSubjectCanonicalizationContext error.

O'Dowd, Josh Josh.O'Dowd at
Thu Aug 13 16:34:20 EDT 2015

Understood.  Makes sense...

In the past, we have assumed that if we get an expired password response from the directory, that the user is authentic, but I should not have assumed that authn-flow would do the same.  We do intend to proceed to SP response after the expired-password form intercept is completed.

I will follow your instructions for creating/populating an AuthenticationResult for the PRC->AuthenticationContext, and a SubjectCanonicalizationContext.  Is the latter just an added subcontext of the ProfileRequestContext, maybe using the #addSubcontext(BaseContext) method (I am looking at the Javadoc for org.opensaml.profile.context.ProfileRequestContext)?

Thanks again for your time and assistance.

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Thursday, August 13, 2015 2:02 PM
To: Shib Users
Subject: Re: InvalidSubjectCanonicalizationContext error.

On 8/13/15, 3:49 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

>I'll look at the action that's failing to see why, but basically something's probably off about the context tree when you transfer control off.

I would imagine that your flow is running when the ValidatePasswordAgainstLDAP action *doesn't* succeed. But your flow isn't triggering an error, so when control passes back, it's picking up where it would ordinarily go in the case that it did the work that the validate action does.

If you're meaning to *be* the login step in place of that built-in action, you would have to produce an AuthenticationResult and populate a SubjectCanonicalizationContext into the tree the same way AbstractValidationAction subclasses all do.

You don't have to use that class, but you have to do the work.

The basic requirement for login to succeed is to populate an AuthenticationResult (containing a Java Subject) into the PRC->AuthenticationContext and create and populate

(None of this is documented obviously, but that's what's involved in creating a custom login flow.)

Each login flow "primes" the tree and when the master authn flow picks up, it dispatches to the c14n subflow and that's where you're blowing up.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list