previous X509 auth result contains subject with no public credentials

[Bobby Lawrence]

Hello all - I have a strange issue here that I'm hoping someone can help with.  I'm running IdP 3.4.7 on Tomcat 8.0.53 and trying to get X509 authentication working so that our users can authenticate with their smart cards.
It seems that everything works fine on the first authentication attempt...the IdP trusts my cert, extracts the X500Principal which is added to the principals of the subject and adds the certificate itself to the public credentials of the subject.  The DN on the certificate doesn't contain my LDAP username, but it does have a SubjectAltName that does.  No problem for the IdP tho because the c14n/x500 flow extracts the subject alternative name from the certificate and constructs a c14n principal name which is used to fetch attributes from LDAP.  All very well documented and working as expected.  Yay.
However when I attempt to log into another SP and the IdP re-uses my previous X509 authentication result, the subject from the previous X509 authentication result has no public credentials...the set returned from the 'getPublicCredentials' method is empty.  The set of principals (returned from the 'getPrincipals' method) seems fine tho because it is populated with all the principals from the previous authentication.  The missing public credentials means that the c14/x500 canonicalization process cannot fetch the username from the subject alternative name and because of that, the IdP cannot lookup my attributes from LDAP.
Has anyone encountered this before?
Thanks in advance.
--
Bobby Lawrence
Jefferson Lab MIS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201120/61da9d03/attachment.htm>