InvalidSubjectCanonicalizationContext error.

O'Dowd, Josh Josh.O'Dowd at
Thu Aug 13 16:59:20 EDT 2015

I did make the change you requested, to the authn-abstract-flow.xml.

I am now getting a opensaml::FatalProfileException message on the SP after IDP response.  It states that there was an IDP reported error, but I am not seeing any error entries in idp-process.log


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Thursday, August 13, 2015 1:49 PM
To: Shib Users
Subject: Re: InvalidSubjectCanonicalizationContext error.

On 8/13/15, 3:38 PM, "users on behalf of O'Dowd, Josh" <users-bounces at on behalf of Josh.O'Dowd at> wrote:

>The first instance of InvalidSubjectCanonicalizationContext in the idp-process.log is:
>2015-08-13 13:26:08,640 - DEBUG [org.springframework.webflow.execution.ActionExecutor:53] - Finished executing net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext at 4b69ddcb; result = InvalidSubjectCanonicalizationContext
>I am really not sure what is goofed up here.  Any help is much appreciated.  Thanks.

Well, the root cause aside, I think you tripped a bug also. Some of the more obscure error conditions (the "this shouldn't really ever happen" types) are probably not getting fully enumerated where they need to be.

If you could try adding that error event to system/flows/authn/authn-abstract-flow.xml as an <end-state> for me, and see if that gets it to actually "handle" the error it's raising, that would confirm my read of it.

I'll look at the action that's failing to see why, but basically something's probably off about the context tree when you transfer control off.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list