IDPv3 X509Auth - accessing certificate

Emilio Penna emilio.penna at
Thu Dec 17 16:45:34 EST 2015

RFE filed:

One comment/feedback about  X509 authn in v3: my perception is that it 
was really simple to enable it in v3, only  added the flow in 
idp.authn.flows, adjusted ldap search filter  and configured apache for 
require client certificate and it worked. more simple impossible! :)
Later, my enthusiasm began to fade when I tried to access the 
certificate in an attribute script... but it will be easier... :)


El 16/12/2015 17:07, Cantor, Scott escribió:
> On 12/16/15, 3:02 PM, "users on behalf of Emilio Penna"<users-bounces at on behalf of emilio.penna at>  wrote:
>> Scott, Tom, thank you for your answers,
>> I can access now the certificate in a scripted attribute with
>> cert =
>> profileContext.getSubcontext("net.shibboleth.idp.authn.context.SubjectContext").getSubjects().get(0).getPublicCredentials().toArray()[0];
>> and (for example)  get the  serial number with:
>> serial=cert.getSerialNumber();
> If you care to, file a RFE so we get something cleaner added to the scripting contexts. I think if we'd realized so many people wanted to dig into the subject we would have exposed something simpler. No reason we can't expose the subject alongside the principal name.
> -- Scott

More information about the users mailing list