Using scoped attributes as the C14N subject

Cantor, Scott cantor.2 at
Tue Aug 16 19:10:56 UTC 2022

On 8/16/22, 3:00 PM, "users on behalf of Wessel, Keith via users" <users-bounces at on behalf of users at> wrote:

>    One somewhat related follow-up to this. I _thought_ that Microsoft AD
> Kerberos returned a scoped value as the principal and that, after all this
> time, my regex transform was parsing off the domain. But it appears that
> my regex transform was doing nothing as the log suggests:

The username there is simply what the user enters, along with any  transforms you apply to that step. It's not what Kerberos puts in a ticket or something like that.

>    This may be out of scope for this list, but can anyone shed any light on if
> there's a Kerberos or Shib setting to get a fully "scoped" value back from AD
> Kerberos? Or is this all on Microsoft's side?

Just how the IdP works, the c14n step is the process that lets you turn something from the user's data entry into a normalized value, which is in part there to make resolver config cleaner by ensuring it's done outside of that layer.

Other login methods have different sorts of behavior but that's how Password works.

-- Scott

More information about the users mailing list