Using scoped attributes as the C14N subject

[Cantor, Scott]

On 8/16/22, 3:20 PM, "users on behalf of Wessel, Keith via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    In that case, is there any way I can validate and strip off a domain before
> sending to Kerberos but still have it afterwards? Wow, after typing that, it
> sounds like a lot more work than it's worth.

You'd use c14n with a regex replacement transform to add it back. The transform in Password changes what the user enters into something else. The c14n step changes the something else into something else again. But that all depoends on other things like use of Duo needing a specific username format, etc.

>    If I pass netid at campus.edu to Shibboleth or netid at my.kerberos.realm,
> authentication fails. It only succeeds if I just pass in a NetID which, as you
> explained, is why I'm just getting back the username.

That really depends on the backend, but a Kerberos check with the realm included should certainly work, I know ours would, it's just not something people will enter for us. Do note realms are case-sensitive of course.

-- Scott