Subject canonicalization flow selection strategy

Cantor, Scott cantor.2 at
Wed May 6 10:42:39 EDT 2015

On 5/6/15, 12:30 PM, "Misagh Moayyed" <mmoayyed at> wrote:

>I wasn’t sure if this should be posted to shib-dev, but here it goes:

If it involves writing code, yes, if not, probably not. Discussion of 
advanced use cases here is fine.

>I am working on implementing a use case with idp v3.1.1 where I need to 
>obtain a user attribute post authentication and compare it with a 
>predefined value/pattern. If a match is allowed, the flow can proceed. 
>Otherwise, flow would be cancelled and an error message sent back to the 

That's not c14n, that's intercept. We already have a flow for this called 
the context-check intercept flow, and one of the basic use cases for that 
is evaluating an attribute.

There are intercepts that run post-login (really post-attribute-lookup) 
and that's where consent, terms of use, and other kinds of interupting 
logic run.

>I think the c14n flow that kick in after authentication, and particularly 
>the one that is attribute based would be useful here.

It could, but it's needlessly complex to use that.

>Would that be doable? It does feel strange because no canonicalization is 
>in fact taking place. The alternative would be to write extensions.

No need, it's built in. I included some sample XML for how one might do it 
in the context-check-intercept-config file that configures that particular 
intercept flow.

Note that you'd never have found this, we haven't documented the 
intercepts much at all yet.

The context-check flow can in theory be configured to do any arbitrary 
evaluation of the context tree to decide the result, I just provided some 
classes and sample XML that do the attribute use case for you. It's 
predicate-based, so I just wrote a particular example predicate. You could 
use a script in fact if you wanted.

>Also what I am not clear on is the canonicalization flow selection 
>strategy. I can see that each strategy tried to figure if it’s applicable 
>but I am not sure in what order these strategies are defined. If I enable 
>attribute-based canonicalization, is there some sort of ranking I need to 
>define to make sure it kicks in before the simple flow?

It's ordered, and tries them in whatever order the descriptors are defined.

-- Scott

More information about the users mailing list