Azure AD Connector from IDP v4.1 - canonicalization failure

Cantor, Scott cantor.2 at
Tue Aug 30 21:04:47 UTC 2022

On 8/30/22, 4:51 PM, "Wessel, Keith" <kwessel at> wrote:

>    That’s not literally referring to the subject of the assertion.

Took me a second to find that text but I clarified it. Java Subject, not SAML Subject, obvious source of confusion in this context.

4.0 -> run the resolver, do extra stuff there to copy an IdPAttribute from the Subject using some very confusing settings because authentication isn't actually done yet

4.1+ -> look directly at Subject produced by SAML login flow and find an IdPAttributePrincipal inside it

Much simpler. Both are "attribute sourced", just no longer both "resolver sourced".

-- Scott

More information about the users mailing list