Versions Compared

Old Version 6

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 7

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. If a c14n flow completes with a "proceed" event, then it MUST satisfy the following requirements:
    1. The SubjectCanonicalizationContext MUST contain a canonical principal name result's principalName property MUST be set.
  2. If a c14n flow completes with any other event, it should assume that its outcome will be treated as unsuccessful. Flows may signal specific behavior back to the c14n master flow:
    1. ReselectFlow – tells the master c14n flow to choose another eligible flow to run (i.e., fall through)
    2. InvalidSubject – tells the master c14n flow that the input Subject was not appropriate for the flow to act on, and to choose another eligible flow to run (i.e., fall through)
    3. Anything Else – c14n will fail and the event will be reflected back as the result of the c14n master flow, to be interpreted by the calling parent flow (signaling a custom event requires that conf/c14n/subject-c14n-events-flow.xml be modified)

Programming Guide to Using Canonicalization

Note

The below material is applicable to V3.3.0 and later of the IdP

If you're creating a custom profile/protocol feature that needs c14n, a web flow that wishes to invoke the c14n subsystem must do the following:

  1. Create a SubjectCanonicalizationContext and populate (at least) the subject and potentialFlows properties, along with any other inputs available.
  2. Attach the SubjectCanonicalizationContext as a child of the ProfileRequestContext.
  3. Transfer control to the "c14n" subflow and transition on the possible results back to your own flow.

The following events worthy of special note may occur as a result of invoking the subsystem:

proceedSuccessful c14n.
NoPotentialFlowNo c14n flow

...

is configured for use or was able to operate on the input.
SubjectCanonicalizationErrorThe input was recognized but an error occurred trying to operate on it.

Various other events signifying more low-level error conditions may also occur.

In any case other than "proceed", the caller MUST NOT expect any results to be valid, and canonicalizationError MAY be populated.

In the case of "proceed", SubjectCanonicalizationContext's principalName property MUST be set.

Note that the above outline holds for any potential use case for this feature. It is immaterial what the c14n process is actually operating on because that is abstracted into the Java Subject, and will be manifest in the specific c14n subflows that are populated as potential flows to use.