previous X509 auth result contains subject with no public credentials
Bobby Lawrence
robertl at jlab.org
Mon Nov 23 22:47:12 UTC 2020
>> To make it work, I had to remove the X500Principal and add my
>> UsernamePrincipal on the X509 AuthenticationResult subject
>> directly....before all its principals are added to the new 'merged' subject created by net.shibboleth.idp.authn.impl.FinalizeMultiFactorAuthentication.
> You don't have to remove anything, it's the addition of the UsernamePrincipal that allows the "simple" method to work. The X500Principal won't > hurt anything. Flows just silently skip themselves if they can't understand the Subject's contents.
Just an FYI - I tried this without removing the X500Principal and it didn't work. I think because I reverted the " shibboleth.PostLoginSubjectCanonicalizationFlows" list back to the distribution where c14n/x500 comes before c14n/simple and since the x500 principal was there, the canonicalization process stopped after setting that the x500 principal name. So I guess to make this work, I would have to either remove the existing X500Principal like I originally was, or make the c14n/simple flow execute first.
Also - JIRA issue created. I hope its sufficient.
https://issues.shibboleth.net/jira/browse/IDP-1716
More information about the users
mailing list