previous X509 auth result contains subject with no public credentials

[Cantor, Scott]

(This is aside from the suggestion you made...yes, I think it's sensible to file a RFE to allow a sort of "end run" around c14n to populate the initial result with information from the certificate, simply because it would simplify other cases such as the MFA example. But that's not there now, no.)

On 11/20/20, 6:05 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

    My recollection is that under ordinary conditions, c14n doesn't apply to reuse of a result. When the master flow reuses a result for SSO, the finalize step pulls the principal name from the session rather than applying c14n to the result.

    The exception would be MFA (if the MFA flow itself is forced to run and not just get reused itself), in which case, there's probably an edge case there that would have to be addressed through plugging in a more complex merging function, but that function still wouldn't have the certificate available after the first time. However, it could populate more information into the merged Subject on the initial go-round to preserve enough information and/or add in additional Principals that already get serialized.

    -- Scott


    -- 
    For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!KGKeukY!i4SH9GcAxfQwmxmieRYEB_f8CuGCnzyNQMnnWBMuIgm7dbsH0rLJjmVA8722hfw$ 
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net