OIDC: this user can't understand how to generate sub claim
francesco.malvezzi at unimore.it
Thu Sep 1 11:24:51 UTC 2022
On 31/08/22 16:47, Cantor, Scott wrote:
> You have both the separate subject-public/pairwise *and* subject definitions enabled, you can't do that. Pick one approach. This is explained in the comments in the file and why they're different approaches.
> Secondly, all evidence I can see is that the filter is probably throwing everything away, but I can't be sure. The filter is generally louder than that. My guess is none of the policies are applying, so it throws them all out.
my fault, the attribute filter logs were squelched.
Now I can read this line:
2022-09-01 12:51:05,838 - DEBUG
[net.shibboleth.idp.attribute.filter.AttributeRule:192] - Attribute
Filter has permitted the release of 1 values for attribute 'subject'
nevertheless it all ends with:
2022-09-01 12:51:05,881 - WARN
- Unable to produce a viable 'sub' claim
(more details at: https://github.com/francescm/this_user_oidc_conf).
Is it possible a broken interaction from c14n? I would exclude a double
definition of 'subject' elsewhere because logs warn about it quite loud,
thank you for your time and patience,
More information about the users