Versions Compared

Version Old Version 2 New Version 3
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Current File(s): conf/c14n/subject-c14n.properties, conf/c14n/subject-c14n.xml
Format: Properties, Native Spring

Table of Contents

Overview

The c14n/x500 “x500” post-login subject canonicalization flow c14n method extracts a username from a Java Subject that contains either a single X509Certificate object in the public credentials set or a single X500Principal in the Principal set. It is primarily designed to work in conjunction with the X509 or X509Internal login flows (i.

...

e., certificate-based authentication).

Configuration

Method Settings

Use conf/c14n/subject-c14n.properties to configure this flowmethod.

If your system is has been upgraded, you may continue to use conf/c14n/x500-subject-c14n-config.xml as before, or you may remove it, while ensuring the new properties are being loaded.

...

By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below.

Enabling this Method

Expand
titleV5.2+

In V5.2+, this method is enabled by setting a per-login-flow property in conf/authn/authn.properties that references it. The default bean ID of this method is “c14n/x500”, so enabling it for a login flow looks like:

Code Block
idp.authn.X509.c14n.flows = c14n/x500

It is possible to configure two instances of this method at the same time with different settings. The default instance is configured with a set of global properties, so defining a second instance of it with different settings requires adding a bean to conf/c14n/subject-c14n.xml. This bean can be defined at the top level of the file and needs a unique ID to reference in the login flow property example above. It does not have to carry the “c14n/” prefix but this is useful for clarity.

As an example, to define a second instance with a rule to lower case the input (without applying that same rule to the default instance of course):

Code Block
<beanid="c14n/x500-lower"parent="c14n/x500"
  p:lowercase="true" />

That then allows you to reference “c14n/x500-lower” in a login flow’s property as above.

Reference

Expand
titleBeans

The following bean may be defined in conf/subject-c14n.xml if needed:

Bean ID

Type

Description

c14n/x500

X500SubjectCanonicalization

Built-in instance of this method, auto-configured by properties and other beans as described. V5.2+ allows reuse of this bean as a parent to define additional instances of this method with different settings.

shibboleth.c14n.x500.Transforms

Pair<String,String>

Pairs of regular expressions and replacement expressions to apply to the username

...