previous X509 auth result contains subject with no public credentials

Bobby Lawrence robertl at
Sat Nov 21 00:08:37 UTC 2020

So I guess I should have mentioned that I am actually using the MFA flow with X509 auth as a second factor.  I actually it set up so that the password flow runs first, then a script determines if the user needs a second factor and if so, I transition to a custom flow where the user can select what second factor they want to use (OTP or certificate/smart card).  When they make their choice, the MFA flow runs that selection last.  It may be that my problem is that c14n/x500 runs first and sets the principal name instead of letting the c14n/simple flow fetch the UsernamePrincipal from the other authentication result?  I might try putting the c14n/simple first in the list...

It might be nice if the different contexts (c14n for example) could be re-used, but I'm pretty sure only the authentication results are persisted in the I right?  Honestly, when I first started using the system some years ago I was under the impression that everything would be re-used and most things wouldn't need to be re-run (like attribute resolution) but after looking though the source code, it looks like that isn't the case. 

Anyway - aside from my suggestions or somehow re-creating the entire X509 authn as a custom flow, are you saying that I'm kinda stuck?  

-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Friday, November 20, 2020 6:05 PM
To: Shib Users <users at>
Subject: [EXTERNAL] Re: previous X509 auth result contains subject with no public credentials

My recollection is that under ordinary conditions, c14n doesn't apply to reuse of a result. When the master flow reuses a result for SSO, the finalize step pulls the principal name from the session rather than applying c14n to the result.

The exception would be MFA (if the MFA flow itself is forced to run and not just get reused itself), in which case, there's probably an edge case there that would have to be addressed through plugging in a more complex merging function, but that function still wouldn't have the certificate available after the first time. However, it could populate more information into the merged Subject on the initial go-round to preserve enough information and/or add in additional Principals that already get serialized.

-- Scott

For Consortium Member technical support, see 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list