Subject canonicalization flow selection strategy

Cantor, Scott cantor.2 at
Wed May 6 14:35:20 EDT 2015

On 5/6/15, 6:07 PM, "Misagh Moayyed" <mmoayyed at> wrote:

>So let's see if understand interceptors: A master list is available that 
>defines the flows, and each RP may inject itself into that flow by 
>the postAuthentationFlows property. Given that the property is a list, I 
>suppose flow ids will be called in sequence (or alternative, I might even 
>call into a subflow from an interceptor flow).

Yes, that's correct. There is actually one other interceptor injection 
point, immediately after the message is decoded. It can be overridden if 
need be, but it's defaulted to run the security rulesets we defined so 
normally it's invisible, but in principle it's the same mechanism. There 
may be others defined later, don't know yet.

>I can see quite a large number of predicates available which is great. Is 
>there one that can examine the RequestedAuthnContext? I can't see one in 

It's all pretty haphazard at the moment. There are predicates used all 
over the place so there may be one done for some other purpose that could 
be reused there, but I don't know offhand, probably not. The catch-all for 
now is the ScriptedPredicate, though actually writing them in Java is 
pretty trivial Java of course once you know what you're looking for in the 

The data extracted from any RequestedAuthnContext is in:

PRC -> AuthenticationContext -> RequestedPrincipalContext

Any other protocols we support that offer method request criteria will 
always be mapped to that context, so you don't want to (or need to) 
actually examine the SAML request directly.

-- Scott


More information about the users mailing list