Azure AD Connector from IDP v4.1 - canonicalization failure

Wessel, Keith kwessel at
Tue Aug 30 20:51:34 UTC 2022

That's not literally referring to the subject of the assertion.

It mentions the attributes. That means the attributes coming in from the assertion being sent from the upstream IdP and being mapped into IdP attributes because they're defined in the IdP's attribute registry.

If all that's set up, then as Scott said, you don't need anything in your attribute resolver or attribute filter configuration.


From: users <users-bounces at> On Behalf Of Ullfig, Roberto Alfredo via users
Sent: Tuesday, August 30, 2022 3:31 PM
To: Cantor, Scott <cantor.2 at>; Shib Users <users at>
Cc: Ullfig, Roberto A (UIC) <rullfig at>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

Not understanding this line in those docs:

"By pulling an IdPAttribute directly from an IdPAttributePrincipal in the input Subject (as mentioned above, this is normally useful when proxying authentication to another IdP)"

The Subject doesn't contain an attribute - it contains a NameID.

Roberto Ullfig - rullfig at<mailto:rullfig at>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: Cantor, Scott <cantor.2 at<mailto:cantor.2 at>>
Sent: Tuesday, August 30, 2022 1:56 PM
To: Ullfig, Roberto Alfredo <rullfig at<mailto:rullfig at>>; Shib Users <users at<mailto:users at>>
Subject: Re: Azure AD Connector from IDP v4.1 - canonicalization failure

>    We just want a user identifier from Azure.

Then most of that is totally unnecessary, start over, and look at the attribute-sourced c14n docs and properties. No need for anything in the resolver whatsoever.<*3A*2F**2Fwiki*2Fspaces*2FIDP4*2Fpages*2F1265631602*2FAttributePostLoginC14NConfiguration&data=05*7C01*7Crullfig**7C7ad13fcccff349016ff908da8abb94ee*7Ce202cd477a564baa99e3e3b71a7c77dd*7C0*7C0*7C637974835523191233*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=GtiE2pJfuvqdpHF1H92hIk13qu9s8W*2BEMTAuaiKnxfI*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DZ3fjg!98Gr4XMLn44Q7Q5ANSKgXarLp5It2ylwidofklmSI36fuiZjP3TIYshYDx0y26CWDRq-wt3kfjQqGe-DGVYP$>

idp.c14n.attribute.resolveFromSubject = true
idp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE
idp.c14n.attribute.attributeSourceIds = whateverId

Should be all that's needed other than making sure the input data is getting decoded by the registry.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list