...
Usually, the attribute resolver relies on the canonical principal name to do its work (the value of the $resolutionContext.principal variable in scripts or search templates). By definition that isn't possible here (this is the process that provides that value later). So in most cases this flow involves the resolution of attributes using scripts that can , but with V3.3 and above the value of that variable in the resolver can be set by means of a function bean (e.g., using a script) named shibboleth.c14n.attribute.PrincipalNameLookupStrategy. In most cases this function would peek inside the Java Subject being canonicalized and pull out custom bits of information.
...
While it would not be a typical case to need to access a value entered by a user except in one specific case noted below, that value will be present inside the Subject as a principal object of type net.shibboleth.idp.authn.principal.UsernamePrincipal. In most other cases, it's simpler to just leave such a value as the canonical principal name and adjust your resolver configuration to accomodate whatever that might be than to try and use the resolver ahead of time to turn it into some other value.
...
One Common Use of Attribute-based Canonicalization
One situation where c14n/attribute post-login subject canonicalization is frequently useful:
- you need to use a Duo or other 2FA authentication plugin that would rely on the username entered by the user to send to the 2FA service
- you want to allow the user to enter their username as one of several different identifiers when they do the initial password authentication
...
The following example (which requires V3.3 or above) illustrates how one could set do this up, where you have one has chosen to allow the user to enter either their uid or their e-mail address as the username. Changes need to be made to all of the following, and sample config highlights the changes to each that would enable such. (You One would also need to configure your authn handler to allow for either input, such as changing idp.authn.LDAP.userFilter to '(|(uid={user})(mail={user}))'.)
...