Subject canonicalization flow selection strategy
cantor.2 at osu.edu
Wed May 6 10:42:39 EDT 2015
On 5/6/15, 12:30 PM, "Misagh Moayyed" <mmoayyed at unicon.net> wrote:
>I wasn’t sure if this should be posted to shib-dev, but here it goes:
If it involves writing code, yes, if not, probably not. Discussion of
advanced use cases here is fine.
>I am working on implementing a use case with idp v3.1.1 where I need to
>obtain a user attribute post authentication and compare it with a
>predefined value/pattern. If a match is allowed, the flow can proceed.
>Otherwise, flow would be cancelled and an error message sent back to the
That's not c14n, that's intercept. We already have a flow for this called
the context-check intercept flow, and one of the basic use cases for that
is evaluating an attribute.
There are intercepts that run post-login (really post-attribute-lookup)
>I think the c14n flow that kick in after authentication, and particularly
>the one that is attribute based would be useful here.
It could, but it's needlessly complex to use that.
>Would that be doable? It does feel strange because no canonicalization is
>in fact taking place. The alternative would be to write extensions.
No need, it's built in. I included some sample XML for how one might do it
in the context-check-intercept-config file that configures that particular
Note that you'd never have found this, we haven't documented the
intercepts much at all yet.
The context-check flow can in theory be configured to do any arbitrary
evaluation of the context tree to decide the result, I just provided some
classes and sample XML that do the attribute use case for you. It's
predicate-based, so I just wrote a particular example predicate. You could
use a script in fact if you wanted.
>Also what I am not clear on is the canonicalization flow selection
>strategy. I can see that each strategy tried to figure if it’s applicable
>but I am not sure in what order these strategies are defined. If I enable
>attribute-based canonicalization, is there some sort of ranking I need to
>define to make sure it kicks in before the simple flow?
It's ordered, and tries them in whatever order the descriptors are defined.
More information about the users