OIDC: this user can't understand how to generate sub claim
Francesco Malvezzi
francesco.malvezzi at unimore.it
Thu Sep 1 11:24:51 UTC 2022
On 31/08/22 16:47, Cantor, Scott wrote:
> You have both the separate subject-public/pairwise *and* subject definitions enabled, you can't do that. Pick one approach. This is explained in the comments in the file and why they're different approaches.
Got it.
>
> Secondly, all evidence I can see is that the filter is probably throwing everything away, but I can't be sure. The filter is generally louder than that. My guess is none of the policies are applying, so it throws them all out.
>
my fault, the attribute filter logs were squelched.
Now I can read this line:
2022-09-01 12:51:05,838 - DEBUG
[net.shibboleth.idp.attribute.filter.AttributeRule:192] - Attribute
filtering engine
'/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_bf171fba54a794e85ba28d56af3fc45d'
Filter has permitted the release of 1 values for attribute 'subject'
nevertheless it all ends with:
2022-09-01 12:51:05,881 - WARN
[net.shibboleth.idp.plugin.oidc.op.profile.logic.AttributeResolutionSubjectLookupFunction:182]
- Unable to produce a viable 'sub' claim
(more details at: https://github.com/francescm/this_user_oidc_conf).
Is it possible a broken interaction from c14n? I would exclude a double
definition of 'subject' elsewhere because logs warn about it quite loud,
thank you for your time and patience,
Francesco
More information about the users
mailing list