Azure AD Connector from IDP v4.1 - canonicalization failure

Ullfig, Roberto Alfredo rullfig at uic.edu
Tue Aug 30 17:24:00 UTC 2022 

We've got this all set up as per the document:

https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD

but aren't able to canonicalize the person identifier. We are doing the hybrid approach for attributes - they are elsewhere. Any clues from this log:

2022-08-30 12:17:51,608 - INFO [Shibboleth-Audit.SSO:283] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - 2022-08-30T17:17:51.608858Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_2b8142d291e2b4fb281f989450f5731e|https://sts.windows.net/e202cd47-7a56-4baa-99e3-e3b71a7c77dd/|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://shibboleth.uic.edu/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_21c1c8a5-214d-42ce-8c3d-603127bd496c||urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||rullfig@uic.edu|_571c4178-d65e-4bd8-823d-2043d4306100|
2022-08-30 12:17:51,609 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Checking canonicalization flow c14n/attribute for applicability...
2022-08-30 12:17:51,609 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Selecting canonicalization flow c14n/attribute
2022-08-30 12:17:51,610 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:247] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Initiating attribute resolution with label: c14n/attribute
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:465] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'passthroughAttributes'
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:474] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'passthroughAttributes'
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:420] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving data connector passthroughAttributes
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.dc.impl.SubjectDataConnector:183] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Data Connector 'passthroughAttributes': No Subjects returned from SubjectContext lookup, no attributes resolved
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:225] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Data Connector 'passthroughAttributes': produced the following 0 attributes during resolution []
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:443] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Data connector 'passthroughAttributes' resolved the following attributes: []
2022-08-30 12:17:51,611 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:276] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Attempting to resolve the following attribute definitions [canonicalNameToUseForJoin]
2022-08-30 12:17:51,612 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:465] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'canonicalNameToUseForJoin'
2022-08-30 12:17:51,612 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:474] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'canonicalNameToUseForJoin'
2022-08-30 12:17:51,612 - INFO [net.shibboleth.idp.attribute.resolver.ad.impl.ContextDerivedAttributeDefinition:176] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - SubjectDerivedAttributeDefinition canonicalNameToUseForJoin Generated no values, no attribute resolved
2022-08-30 12:17:51,612 - DEBUG [net.shibboleth.idp.attribute.resolver.ad.impl.ContextDerivedAttributeDefinition:108] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Definition 'canonicalNameToUseForJoin': Generated no values.
2022-08-30 12:17:51,613 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:133] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Definition 'canonicalNameToUseForJoin': no attribute was produced during resolution
2022-08-30 12:17:51,613 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractResolverPlugin:259] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Resolver plugin 'canonicalNameToUseForJoin' produced no value.
2022-08-30 12:17:51,613 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:358] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'canonicalNameToUseForJoin' produced no attribute
2022-08-30 12:17:51,613 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:282] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Finalizing resolved attributes
2022-08-30 12:17:51,613 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:531] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Removing result of attribute definition 'canonicalNameToUseForJoin', it is null
2022-08-30 12:17:51,613 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:285] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Attribute Resolver 'ShibbolethAttributeResolver': Final resolved attribute collection: []
2022-08-30 12:17:51,614 - WARN [net.shibboleth.idp.authn.impl.AttributeSourcedSubjectCanonicalization:183] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action AttributeSourcedSubjectCanonicalization: No attributes found, canonicalization not possible
2022-08-30 12:17:51,614 - INFO [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:62] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Moving incomplete flow c14n/attribute to intermediate set, reselecting a different one
2022-08-30 12:17:51,615 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Checking canonicalization flow c14n/x500 for applicability...
2022-08-30 12:17:51,615 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:106] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Canonicalization flow c14n/x500 was not applicable: Neither a single X509Certificate nor X500Principal were found
2022-08-30 12:17:51,615 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:100] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Checking canonicalization flow c14n/simple for applicability...
2022-08-30 12:17:51,615 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:106] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: Canonicalization flow c14n/simple was not applicable: No UsernamePrincipals were found
2022-08-30 12:17:51,615 - ERROR [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - [AE5CDD926C4A9E6EA13801DE2EE95467] - [128.248.2.59] - Profile Action SelectSubjectCanonicalizationFlow: No potential flows left to choose from, canonicalization will fail


---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220830/88c6f639/attachment.htm>

More information about the users mailing list