Shibboleth MFA questions

Cantor, Scott cantor.2 at
Mon May 22 09:40:00 EDT 2017

> Let me add some context here that should make it a bit more clear what
> Armin is trying to do. The U2F plugin should be fully compatible with Shib 3.3,
> and it should behave just like the built in DUO plugin by getting the username
> from net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy.

Ok, I didn't realize that obviously.

> I don't think X509Authn actually produces a "username" without creating a
> Subject Canonicalization flow that can pull a username out of the subject. I
> haven't really used X509Authn myself, but I'm guessing that by default the
> subject is based on the certificates subject DN? That subject most likely does
> not match a username in for example LDAP/AD.

The built-in x509 c14n flow can be configured to pull the subject DN, pull part of the DN, or from an extension like sAN.

If you have to remap from there, that won't really work by itself, and the c14n process doesn't really "chain" because once it gets a successful result back, it's done. Barring a custom flow, what you would typically do is switch to c14n/attribute and write script(s) in the resolver to pull data from the certificate to do the LDAP lookup with. The certificate is inside the public credential set of the Java subject.

> An example how to configure a Subject C14N flow to populate a "username"
> based on the X509Authn subject is probably what Armin was asking for.

That's documented (in the specific case that it comes from the certificate).

-- Scott

More information about the users mailing list