SAML flow within MFA flow - possible c14n problem

Cantor, Scott cantor.2 at
Fri Sep 9 15:50:42 UTC 2022

I can't really debug this for somebody on list but I will outline a bit about the way c14n works in general and for the MFA flow, and correct a point of understandable confusion.

Every login flow in isolation needs to be able to produce a string value. And anything that's not just simple stuff is not going to be simple to get a value out. With SAML, you have to obviously deal with the NameID or the Attribute(s) and generally leverage the fancy stuff that got added to get a string out to use, vs. the Password case where you start with the username and can pretty much just manipulate that directly.

Assuming you have that working, the MFA flow by default will merge all the Principal objects from all the Java Subjects being run together, and then it runs c14n again on that merged Subject.

In principle (sic), the same c14n settings that work in isolation on each constituent flow generally tend to work correctly on that merged result, but there can be cases where it's not that easy or the ordering of the c14n flows that are "active" might get in the way of things, so you have to have some sense of what's in the Subject after the merge and then make sure the intended c14n behavior will handle that.

There are also ways to build a custom function to do the final merge and produce the MFA Subject result when absolutely necessary, though I'm not sure it's come up much.

Basically, if you're getting the wrong c14n result, one of the c14n flows is doing the wrong thing with the Principal collection that it operated on for whatever Subject it was running against.

The other note I will add is that the log statements where it says "authenticatedPrincipal=..." are just the output of the toString() method on the AuthenticationResult object, and the value for that field is just a heuristic. It's NOT the c14n result.

It's a guess at a value to spit out that might make sense, and is either the first UsernamePrincipal value it finds in the Subject, or failing that, the first Principal it finds. In the case of SAML, it's a NameIDPrincipal wrapped around the NameID it got, which is just part of the output of the SAML flow. It's nothing to do with c14n.

That isn't obvious, and would be easy to misconstrue.

I don't know if that helps but it's what I can do on list.

-- Scott

More information about the users mailing list