previous X509 auth result contains subject with no public credentials

[Cantor, Scott]

My recollection is that under ordinary conditions, c14n doesn't apply to reuse of a result. When the master flow reuses a result for SSO, the finalize step pulls the principal name from the session rather than applying c14n to the result.

The exception would be MFA (if the MFA flow itself is forced to run and not just get reused itself), in which case, there's probably an edge case there that would have to be addressed through plugging in a more complex merging function, but that function still wouldn't have the certificate available after the first time. However, it could populate more information into the merged Subject on the initial go-round to preserve enough information and/or add in additional Principals that already get serialized.

-- Scott