missing username in oidc intercept

Cantor, Scott cantor.2 at osu.edu
Thu Nov 14 15:56:12 EST 2019

On 11/14/19, 3:40 PM, "users on behalf of Jim Fox" <users-bounces at shibboleth.net on behalf of fox at washington.edu> wrote:

> where the usernameLookupStrategy is the CanonicalUsernameLookupStrategy

You shouldn't use that function, the proper place to get the username once authentication is done is the SubjectContext (child of PRC).

If you want to parameterize the logic, the best default is a composition of net.shibboleth.idp.authn.context.navigate.SubjectContextPrincipalLookupFunction with ChildContextLookup<>(SubjectContext.class)

> It works fine with SAML logins, but always returns null when activated 
> during an OIDC login.

That may, and probably is, a sign of a bug, but the best fix is the above. Once the login is complete, the SubjectContext is gospel for that request by design.

The one you're using is more of a "mid-login" way to get the "best" guess as to the currently assumed value to use for cross-factor situations.

-- Scott

More information about the users mailing list