OIDC: this user can't understand how to generate sub claim
francesco.malvezzi at unimore.it
Tue Aug 30 16:23:49 UTC 2022
On 29/08/22 19:01, Peter Schober via users wrote:
> * Francesco Malvezzi via users <users at shibboleth.net> [2022-08-29 14:40]:
>> <InputDataConnector ref="computedSubjectId" attributeNames="subjectId"/>
>> According to the logs, the uid attribute is present and released.
> At least in your post you have not provided evidence on the relation
> of the 'uid' attribute (which you say is present) and the configured
> I'd imagine you're generating the "subjectId" attribute based off
> 'uid' somewhere/somehow but for me this is only an assumption.
> I could also speculate that it could be this connection that's
thank you for your time and attention.
The DataConnector for subjectId is the plain DataConnector taken from
Data Connector for generating 'sub' claim. It may be used to
public and pairwise subject values because it recognizes the OIDC
if used during client registration.
<DataConnector id="computedSubjectId" xsi:type="ComputedId"
the declared properties are:
$ grep oidc.subject conf/oidc.properties credentials/secrets.properties
conf/oidc.properties:idp.oidc.subject.sourceAttribute = uid
conf/oidc.properties:idp.oidc.subject.algorithm = SHA
#conf/oidc.properties:idp.oidc.subject.salt = this_too_should_be_ch4ng3d
credentials/secrets.properties:idp.oidc.subject.salt = some_salt_here
credentials/secrets.properties is imported in idp.additionalProperties
property in conf/idp.properties.
In this setup uid is defined as:
<AttributeDefinition id="uid" xsi:type="PrincipalName" />
(encoding is in conf/attributes/oidc-claim-rules.xml, if needed).
The /conf/attributes-resolver.xml has been removed from the services.xml
to avoid interferences from the SAML attribute resolution, and the
attribute resolution checked with the aacli: it works; of course only
the values from the staticAttributes DataConnector show up.
In another trial, I also tried to short-circuit the subjects'
<InputDataConnector ref="staticAttributes" attributeNames="myuid"/>
instead of invoking the computedSubjectId DataConnector but the outcome
is the same.
Sorry for the lengthy mail. Thank you for your patience,
More information about the users