Shibboleth MFA questions

s-awinte at s-awinte at
Mon May 22 18:53:10 EDT 2017

Well, I assumed that building a user principal name (or canonicalized
subject, if you will) would be done via reading client cert attributes
handed over from Apache via:

SSLOptions +ExportCertData -StdEnvVars

Probably via a c14n flow, as mentioned by Stefan, or maybe by
configuring the MFA-flow with the right bean, as in the DUO-flow - but
which, and how?

As for
and CanonicalUsernameLookupStrategy - I've found a reference on this page:

But no example, on the Shib wiki page above, at least none, which seems
to be accessible from there - are the boxed captions supposed to contain
any additional information?
If so, they are not rendered in my FF browser.

Only could find this on Shib wiki:
- quite frugal for a scripting guide.
- not entirely appliccable for my use case or not up-to-date anymore.

I wonder where I can find information on how your stuff works, apart
from looking up the source code or dev documentation?
Where can I find a complete overview, e. g. of what beans and scripting
params to use in which situations - an how?

I would really support the idea of stocking and dating up the code
examples on the Sibboleth wiki.
Good documentation and example resources is what makes people deciding
for or against a technology.
A piece of working code is often better than a plethora of academical
text (which might be the reason why stackoverflow is so popular, by the

The example on above is the most practical piece of code I've
seen on this matter and on scripting so far.
It took me a while to dig it up.

I would not hesitiate to dig into the source code, if I had the time to,
and if I had the task to develop an extension for Shibboleth.
But currently, that's not the case and it's out-of-scope for me.
To simply using Shibboleth, I require some resources that quickly put me
on the right track.


Am 22.05.2017 um 22:22 schrieb Cantor, Scott:
> Certificates are not at all common, but adding anything else takes it from "very rare but basically straightforward" to "very advanced with requirements specific to you". There's no "normal" here. Normal is a password.
> If what you're asking about is how to do *both* X.509 and then U2F, that wasn't clear to me, but if that's the case, then I need to know basically what Stefan asked, how do you intend the system to obtain the identity of token holder from the certificate? Specifically.
> Scripting the system to run both those methods is reasonably straightforward with the MFA feature.

More information about the users mailing list