previous X509 auth result contains subject with no public credentials

Cantor, Scott cantor.2 at
Fri Nov 20 23:05:07 UTC 2020

My recollection is that under ordinary conditions, c14n doesn't apply to reuse of a result. When the master flow reuses a result for SSO, the finalize step pulls the principal name from the session rather than applying c14n to the result.

The exception would be MFA (if the MFA flow itself is forced to run and not just get reused itself), in which case, there's probably an edge case there that would have to be addressed through plugging in a more complex merging function, but that function still wouldn't have the certificate available after the first time. However, it could populate more information into the merged Subject on the initial go-round to preserve enough information and/or add in additional Principals that already get serialized.

-- Scott

More information about the users mailing list