Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleV5.2+

In V5.2+, this method is enabled by setting a per-login-flow property in conf/authn/authn.properties that references it. The default bean ID of this method is “c14n/x500”, so enabling it for a login flow looks like:

Code Block
idp.authn.X509.c14n.flows = c14n/x500

It is possible to configure two instances of this method at the same time with different settings. The default instance is configured with a set of global properties, so defining a second instance of it with different settings requires adding a bean to conf/c14n/subject-c14n.xml. This bean can be defined at the top level of the file and needs a unique ID to reference in the login flow property example above. It does not have to carry the “c14n/” prefix but this is useful for clarity.

As an example, to define a second instance with a rule to lower case the input (without applying that same rule to the default instance of course):

Code Block
<beanid="c14n/x500-lower"parent="c14n/x500"
  p:lowercase="true" />

That then allows you to reference “c14n/x500-lower” in a login flow’s property as above.

Expand
titleOlder Versions

In older versions, this method is generally enabled for you by default by virtue of a reference to the bean in the shibboleth.PostLoginSubjectCanonicalizationFlows list in conf/c14n/subject-c14n.xml:

Code Block
    <util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
        <ref bean="c14n/x500" />
    </util:list>

Most often it shows up last in the list and doesn’t hurt anything to leave enabled, but the reference could be removed if not in use.

...