Subject canonicalization flow selection strategy

Misagh Moayyed mmoayyed at
Wed May 6 08:30:36 EDT 2015

I wasn't sure if this should be posted to shib-dev, but here it goes:


I am working on implementing a use case with idp v3.1.1 where I need to
obtain a user attribute post authentication and compare it with a
predefined value/pattern. If a match is allowed, the flow can proceed.
Otherwise, flow would be cancelled and an error message sent back to the


I think the c14n flow that kick in after authentication, and particularly
the one that is attribute based would be useful here. I think I can do the
following: Configure the existing AttributeSourcedSubjectCanonicalization
to locate the flow based on that attribute value and create the
corresponding flow def/beans. If the attribute source didn't produce the
value I wanted, the exception is handled and its translation put into the
response. The flow that I write for the attribute would be identical to
the simple flow, or I could just directly call that flow. 


Would that be doable? It does feel strange because no canonicalization is
in fact taking place. The alternative would be to write extensions. 


Also what I am not clear on is the canonicalization flow selection
strategy. I can see that each strategy tried to figure if it's applicable
but I am not sure in what order these strategies are defined. If I enable
attribute-based canonicalization, is there some sort of ranking I need to
define to make sure it kicks in before the simple flow? 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list