previous X509 auth result contains subject with no public credentials

Bobby Lawrence robertl at
Mon Nov 23 16:15:44 UTC 2020

> Certificates are not really historically a "second factor". That doesn't really have anything to do with it, I just thought it was interesting.

I've got the shibboleth.authn.X509.TrustEngine set up so that it only trusts certificates for the various smart cards we use at my site (PIV-C and PIV-I).  Usage of these certificates requires a hardware reader and a PIN so its kinda 2FA itself. 

>> It may be that my problem is that c14n/x500 runs first and sets the 
>> principal name instead of letting the c14n/simple flow fetch the UsernamePrincipal from the other authentication result?  I might try putting the c14n/simple first in the list...

> They all run until one succeeds, that only impacts the order they're tried.
> As I said, this case applies because re-running the factors from within an MFA rule reuses the embedded results that have already been serialized > and so are missing the information that's documented to be missing when that happens.

Its worth noting that by moving the c14n/simple subject canonicalization flow up before the c14n/x500 one, I kind of solve my problem.  I guess that works because my MFA setup requires the password flow first which adds a UsernamePrincipal to the subject which can be extracted with the c14n/simple flow and since the simple flow proceeds, the username is used for the subject principal name.  I say "kind of" because I still end up with this issue in one certain situation (explained next).

> No, I'm saying you need a custom merging function. The MFA documentation covers the signature of the function, you have to build you own final > result. If you're already digging into the code you can probably find the default function it uses as an example.

I've seen the merging function and I will look into creating a custom one as I've seen if the password flow is skipped (I have x509 available as an 'extended' password flow option), then I'm in the same boat....the UsernamePrincipal doesn't exist so the X500Principal is the only one that can be used for subject canonicalization and after the first auth, there is no certificate in the subject to fetch the alternative names from.

Thanks for your help Scott!


More information about the users mailing list