Passing info from authentication to resolver?

Cantor, Scott cantor.2 at
Wed Apr 27 11:10:12 EDT 2016

On 4/27/16, 10:54 AM, "users on behalf of Ian Rifkin" <users-bounces at on behalf of irifkin at> wrote:

>I'm not sure if I'm doing it the "best" way but basically I edited the c14n configs to put an attribute from the authentication process into the subject then in the resolver wrote some java code to pull it out.

You can't get the c14n process to put anything into the Subject. Something else would have to be doing that. Or maybe you're just confused about what's happening. The attribute-based c14n mechanism doesn't put anything into the Subject, it just resolves the attribute(s) and uses them to swap in a different principal name for the resulting login.

>The one potential issue is that I was intending this to be used for the one SP that uses Password authen (everything else uses RemoteUser). Nothing is broken but I see a lot of
>WARN [net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization:146] - Profile Action AttributeSourcedSubjectCanonicalization: No attributes found, canonicalization not possible

That means that c14n method isn't able to run, but you have it configured. It isn't doing anything  for you, so you should just remove it. Or I'm just lost here, per the above. If you mean that you have some cases where the attribute(s) can't be resolved for some users, the only way around the warning would be to attach an activation condition to the c14n bean to guard it.

>I'm guessing this is because the attribute I'm putting in the subject won't be found on many of our regular users? Is there any way to restrict the subject config by either SP or authentication flow?


-- Scott

More information about the users mailing list