Azure AD Connector from IDP v4.1 - canonicalization failure

Ullfig, Roberto Alfredo rullfig at
Tue Aug 30 20:31:19 UTC 2022

Not understanding this line in those docs:

"By pulling an IdPAttribute directly from an IdPAttributePrincipal in the input Subject (as mentioned above, this is normally useful when proxying authentication to another IdP)"

The Subject doesn't contain an attribute - it contains a NameID.

Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: Cantor, Scott <cantor.2 at>
Sent: Tuesday, August 30, 2022 1:56 PM
To: Ullfig, Roberto Alfredo <rullfig at>; Shib Users <users at>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

>    We just want a user identifier from Azure.

Then most of that is totally unnecessary, start over, and look at the attribute-sourced c14n docs and properties. No need for anything in the resolver whatsoever.

idp.c14n.attribute.resolveFromSubject = true
idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE
idp.c14n.attribute.attributeSourceIds = whateverId

Should be all that's needed other than making sure the input data is getting decoded by the registry.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list