previous X509 auth result contains subject with no public credentials
Cantor, Scott
cantor.2 at osu.edu
Mon Nov 23 16:33:51 UTC 2020
On 11/23/20, 11:15 AM, "users on behalf of Bobby Lawrence" <users-bounces at shibboleth.net on behalf of robertl at jlab.org> wrote:
> I've seen the merging function and I will look into creating a custom one as I've seen if the password flow is skipped (I
> have x509 available as an 'extended' password flow option), then I'm in the same boat....the UsernamePrincipal doesn't
> exist so the X500Principal is the only one that can be used for subject canonicalization and after the first auth, there is no
> certificate in the subject to fetch the alternative names from.
Right. If Password was used, the merged Subject will include the simple-compatible Principal but if it's not used, and X.509 gets reused, you'll get a Subject without anything in it to base the c14n on.
-- Scott
More information about the users
mailing list