Default 'sub' based C14N flow dos not run

Basics

Logistics

Basics

Logistics

Description

The flow gets installed:

Registered flow ID 'c14n/OIDCSubjectIdentifier

And c14n/attribute and c14n/simpleare active.

But C14N fails:

2023-11-15 19:08:59,313 - DEBUG [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:83] - IP:10.0.8.19 - Profile Action SelectSubjectCanonicalizationFlow: Selecting canonicalization flow c14n/OIDCSubjectIdentifier
2023-11-15 19:08:59,370 - DEBUG [net.shibboleth.idp.authn.AbstractSubjectCanonicalizationAction:221] - IP:10.0.8.19 - Profile Action SimpleOIDCSubjectIdentifierCanonicalization: trimming whitespace of input string '3Z7J3O2L5HGQSFDVU3DUAGOCIFZ6QZRM@daasi.de'

2023-11-15 19:08:59,385 - DEBUG [net.shibboleth.idp.authn.impl.PopulateSubjectCanonicalizationContext:75] - IP:10.0.8.19 - Profile Action PopulateSubjectCanonicalizationCo ntext: Installing 2 canonicalization flows into SubjectCanonicalizationContext

--> not 3!

2023-11-15 18:58:32,074 - ERROR [net.shibboleth.idp.authn.impl.SelectSubjectCanonicalizationFlow:78] - IP:10.0.8.19 - Profile Action SelectSubjectCanonicalizationFlow: No
potential flows left to choose from, canonicalization will fail

Environment

None

Activity

Martin Hitschel
November 20, 2023 at 8:51 AM

Confirming the C14N MFA workaround like documented now on https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3013804089/OIDCRelyingPartyAuthnConfiguration#c14n4mfa works.

Martin Hitschel
November 20, 2023 at 8:24 AM

To confirm, I do use the MFA flow from the Password view, as I think is still the recommended way:

<entry key="authn/Password">
         <bean parent="shibboleth.authn.MFA.Transition">
           <property name="nextFlowStrategyMap">
             <map>
               <entry key="SAMLtransition" value="authn/SAML" />
               <entry key="OIDCtransition" value="authn/OIDCRelyingParty" />
               <entry key="*" value-ref="checkSecondFactor" />
…

Philip Smart
November 17, 2023 at 2:19 PM

I’ve updated the documentation on what to do if you use the RP inside the MFA flow and want the ‘sub’ claim to be used as the principal name.

Philip Smart
November 17, 2023 at 1:44 PM
(edited)

Maybe for now I add that to the RP’s documentation. If you want to use the RP inside an MFA flow, you need to choose the source of the principal, and if you want it to come from the ‘sub’ claim you’ll need to add that bean reference. If you use the RP flow explicitly, it works off the inbuild one for convenience (but you could disable it if you wanted something else).

Which results in no changes to the RP. If however the use case comes back as more complicated, we can revise it.

Philip Smart
November 17, 2023 at 1:42 PM

Yeah, adding that bean reference to the shibboleth.PostLoginSubjectCanonicalizationFlows list works on my dev IdP. It is a V5 IdP, but I would not think that could make a difference.

Resize issue view side panel

Answered

Details

Assignee

Philip Smart

Reporter

Martin Hitschel

Affects versions

1.1.0

Created November 15, 2023 at 6:12 PM

Updated January 10, 2024 at 11:09 AM

Resolved January 10, 2024 at 11:09 AM