previous X509 auth result contains subject with no public credentials

Bobby Lawrence robertl at
Mon Nov 23 22:47:12 UTC 2020

>>    To make it work, I had to remove the X500Principal and add my 
>> UsernamePrincipal on the X509 AuthenticationResult subject 
>> directly....before all its principals are added to the new 'merged' subject created by net.shibboleth.idp.authn.impl.FinalizeMultiFactorAuthentication.

> You don't have to remove anything, it's the addition of the UsernamePrincipal that allows the "simple" method to work. The X500Principal won't > hurt anything. Flows just silently skip themselves if they can't understand the Subject's contents.

Just an FYI - I tried this without removing the X500Principal and it didn't work.  I think because I reverted the " shibboleth.PostLoginSubjectCanonicalizationFlows" list back to the distribution where c14n/x500 comes before c14n/simple and since the x500 principal was there, the canonicalization process stopped after setting that the x500 principal name.  So I guess to make this work, I would have to either remove the existing X500Principal like I originally was, or make the c14n/simple flow execute first.

Also - JIRA issue created.  I hope its sufficient.

More information about the users mailing list