Using scoped attributes as the C14N subject

Wessel, Keith kwessel at
Tue Aug 16 17:09:04 UTC 2022

Hi, all,

We've been using just a username as a subject up until now in our IdP, but we want to change to a userPrincipalName which is scoped. I've tried just changing to the scoped attribute in our and, obviously, updating LDAP queries in DataConnectors that use the principal, but for some reason, the scope is getting deropped during subject resolution:

DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:229] - Data Connector 'azurePassthroughAttributes': Attribute 'azureName': Values '[ScopedStringAttributeValue{value=kwessel,}]'

But it seems to be dropping the scope:
DEBUG [net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization:239] - Profile Action AttributeSourcedSubjectCanonicalization: Using attribute azureName string value kwessel as input to transforms

I have the regex commented out in subject-c14n.xml and, even if I didn't, I'd be expecting to see the full scoped string passed in as input to the transforms.

Is there something wrong with how I have azureName defined in my attribute registry? What am I missing here?


More information about the users mailing list