OIDC: this user can't understand how to generate sub claim
Francesco Malvezzi
francesco.malvezzi at unimore.it
Thu Sep 22 06:53:20 UTC 2022
hi everybody,
I would like to report my success in generating and releasing OIDC sub
claim.
For nobody's surprise, the example file provided
(etc/examples/oidc-attribute-resolver.xml) works great out-of-the-box.
My mistake was in my conf/services.xml where I couldn't figure out a
double inclusion is needed:
[...]
<util:list id ="shibboleth.AttributeResolverResources">
<value>%{idp.home}/conf/attribute-resolver.xml</value>
<value>%{idp.home}/conf/oidc-attribute-resolver.xml</value>
<value>%{idp.home}/conf/activation-conditions.xml</value>
</util:list>
<!--
This is suitable for new installs but will usually produce
duplicate Attribute
output if a legacy resolver file is used that contains
AttributeEncoders.
-->
<util:list id ="shibboleth.AttributeRegistryResources">
<value>%{idp.home}/conf/attribute-registry.xml</value>
<value>%{idp.home}/conf/attributes/default-rules.xml</value>
<value>%{idp.home}/conf/oidc-attribute-resolver.xml</value>
</util:list>
[...]
If I don't include oidc-attribute-resolver.xml in both
AttributeResolverResources and AttributeRegistryResources the flow will
fail with "Unable to produce a viable 'sub' claim" error.
Thanks,
Francesco
More information about the users
mailing list