Attribute resolution for private credentials in subject
Cantor, Scott
cantor.2 at osu.edu
Thu Mar 10 20:38:47 EST 2016
> As a related question, may I safely assume in the SubjectContext there is
> only one subject, in which there is only one private credential? (In my case,
> LDAP authn is used, with session enabled.)
None of this is formally documented at the moment, but the authentication contract for the SSO profiles right now is that the SubjectContext will contain all of the AuthenticationResults associated with the subject and a canonical principal name associated with the identity.
It does not assume there's only one Subject, let alone what might be all of them.
However, the only way you get multiple Subjects at the same time is if you have multiple types of AuthenticationResult. Only a single result is tracked per login flow ID. So if you only have one login flow enabled (e.g. authn/Password), then you can only have one type of AuthenticationResult, ergo one Subject at a time. If you know what the flow is doing to populate that Subject, then you know what can be in it.
So, it depends, but you can control what assumptions you can make.
It's also profile dependent. SAML Attribute Queries produce a Subject based on mapping the NameID in the query to a Subject that contains the reverse-mapped username and the NameID itself as a custom Principal, and that's a totally different Subject than the one you would have during SSO.
The abstraction is consistent, but not the content.
HTH,
-- Scott
More information about the users
mailing list