Passing info from authentication to resolver?

Ian Rifkin irifkin at
Wed Apr 27 10:54:24 EDT 2016


canonicalize the subject into after authentication…It's analagous to the
> X.509 example that pulls data out of the certificate…You can always go
> poking into the Subject to pull data out of it in the resolver if you have
> to.

The good news: I have this working!

I'm not sure if I'm doing it the "best" way but basically I edited the c14n
configs to put an attribute from the authentication process into the
subject then in the resolver wrote some java code to pull it out.

The one potential issue is that I was intending this to be used for the one
SP that uses Password authen (everything else uses RemoteUser). Nothing is
broken but I see a lot of

> [net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization:146]
> - Profile Action AttributeSourcedSubjectCanonicalization: No attributes
> found, canonicalization not possible

in the logs.

I'm guessing this is because the attribute I'm putting in the subject won't
be found on many of our regular users? Is there any way to restrict the
subject config by either SP or authentication flow?

It's not an error so things seem to work, but it's very chatty and I don't
want real issues to get buried.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list