Using scoped attributes as the C14N subject

Cantor, Scott cantor.2 at
Tue Aug 16 19:31:54 UTC 2022

On 8/16/22, 3:20 PM, "users on behalf of Wessel, Keith via users" <users-bounces at on behalf of users at> wrote:

>    In that case, is there any way I can validate and strip off a domain before
> sending to Kerberos but still have it afterwards? Wow, after typing that, it
> sounds like a lot more work than it's worth.

You'd use c14n with a regex replacement transform to add it back. The transform in Password changes what the user enters into something else. The c14n step changes the something else into something else again. But that all depoends on other things like use of Duo needing a specific username format, etc.

>    If I pass netid at to Shibboleth or netid at my.kerberos.realm,
> authentication fails. It only succeeds if I just pass in a NetID which, as you
> explained, is why I'm just getting back the username.

That really depends on the backend, but a Kerberos check with the realm included should certainly work, I know ours would, it's just not something people will enter for us. Do note realms are case-sensitive of course.

-- Scott

More information about the users mailing list