previous X509 auth result contains subject with no public credentials

Cantor, Scott cantor.2 at
Mon Nov 23 22:53:16 UTC 2020

On 11/23/20, 5:47 PM, "users on behalf of Bobby Lawrence" <users-bounces at on behalf of robertl at> wrote:

>    Just an FYI - I tried this without removing the X500Principal and it didn't work.  I think because I reverted the "
> shibboleth.PostLoginSubjectCanonicalizationFlows" list back to the distribution where c14n/x500 comes before
> c14n/simple and since the x500 principal was there, the canonicalization process stopped after setting that the x500
> principal name.  So I guess to make this work, I would have to either remove the existing X500Principal like I originally
> was, or make the c14n/simple flow execute first.

I didn't recall that that class looked at an X500Principal, I thought it bailed if the certificate was missing. That would be a problem. All the more reason to chew on it a bit before I rush into any fixes.

>    Also - JIRA issue created.  I hope its sufficient.

Yes, thank you.

-- Scott

More information about the users mailing list