previous X509 auth result contains subject with no public credentials

Cantor, Scott cantor.2 at
Fri Nov 20 23:10:57 UTC 2020

(This is aside from the suggestion you made...yes, I think it's sensible to file a RFE to allow a sort of "end run" around c14n to populate the initial result with information from the certificate, simply because it would simplify other cases such as the MFA example. But that's not there now, no.)

On 11/20/20, 6:05 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

    My recollection is that under ordinary conditions, c14n doesn't apply to reuse of a result. When the master flow reuses a result for SSO, the finalize step pulls the principal name from the session rather than applying c14n to the result.

    The exception would be MFA (if the MFA flow itself is forced to run and not just get reused itself), in which case, there's probably an edge case there that would have to be addressed through plugging in a more complex merging function, but that function still wouldn't have the certificate available after the first time. However, it could populate more information into the merged Subject on the initial go-round to preserve enough information and/or add in additional Principals that already get serialized.

    -- Scott

    For Consortium Member technical support, see;!!KGKeukY!i4SH9GcAxfQwmxmieRYEB_f8CuGCnzyNQMnnWBMuIgm7dbsH0rLJjmVA8722hfw$ 
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list