OIDC: this user can't understand how to generate sub claim

Francesco Malvezzi francesco.malvezzi at unimore.it
Thu Sep 1 11:24:51 UTC 2022

On 31/08/22 16:47, Cantor, Scott wrote:
> You have both the separate subject-public/pairwise *and* subject definitions enabled, you can't do that. Pick one approach. This is explained in the comments in the file and why they're different approaches.

Got it.

> Secondly, all evidence I can see is that the filter is probably throwing everything away, but I can't be sure. The filter is generally louder than that. My guess is none of the policies are applying, so it throws them all out.

my fault, the attribute filter logs were squelched.

Now I can read this line:

2022-09-01 12:51:05,838 - DEBUG 
[net.shibboleth.idp.attribute.filter.AttributeRule:192] - Attribute 
filtering engine 
  Filter has permitted the release of 1 values for attribute 'subject'

nevertheless it all ends with:

2022-09-01 12:51:05,881 - WARN 
- Unable to produce a viable 'sub' claim

(more details at: https://github.com/francescm/this_user_oidc_conf).

Is it possible a broken interaction from c14n? I would exclude a double 
definition of 'subject' elsewhere because logs warn about it quite loud,

thank you for your time and patience,


More information about the users mailing list