You are viewing an old version of this content. View the current version.
Compare with Current
View Version History
« Previous
Version 3
Next »
Current File(s): conf/c14n/subject-c14n.properties
Format: Properties, Native Spring
Overview
The “simple” post-login subject c14n method does a routine extraction of a singke UsernamePrincipal from the Java Subject and returns it as the canonincal principal name for the subject. It also supports some optional transforms to apply to the name.
This flow will succeed if and only if the input Java Subject contains exactly one UsernamePrincipal in its collection of Principals.
Configuration
Method Settings
Use conf/c14n/subject-c14n.properties to configure this method.
If your system has been upgraded, you may continue to use conf/c14n/simple-subject-c14n-config.xml as before, or you may remove it, while ensuring the new properties are being loaded.
The regular expression replacement feature is the only bit remaining that still requires XML and you may define that bean, if needed, in conf/c14n/subject-c14n.xml
By default, the only transform applied is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference below.
Enabling this Method
V5.2+
In V5.2+, this method is enabled by setting a per-login-flow property in conf/authn/authn.properties that references it. The default bean ID of this method is “c14n/simple”, so enabling it for a login flow looks like:
idp.authn.Password.c14n.flows = c14n/simple
It is possible to configure two instances of this method at the same time with different settings. The default instance is configured with a set of global properties, so defining a second instance of it with different settings requires adding a bean to conf/c14n/subject-c14n.xml. This bean can be defined at the top level of the file and needs a unique ID to reference in the login flow property example above. It does not have to carry the “c14n/” prefix but this is useful for clarity.
As an example, to define a second instance with a rule to lower case the input (without applying that same rule to the default instance of course):
TBD
Older Versions and Pre-5.2 Plugins
In older versions, this method is generally enabled for you by default by virtue of a reference to the bean in the shibboleth.PostLoginSubjectCanonicalizationFlows list in conf/c14n/subject-c14n.xml:
<util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
<ref bean="c14n/simple" />
</util:list>
Most often it shows up last in the list and doesn’t hurt anything to leave enabled, but the reference could be removed if not in use.
Reference
Beans
The following bean may be defined in conf/subject-c14n.xml if needed:
Bean ID | Type | Description |
|---|
shibboleth.c14n.simple.Transforms | Pair<String,String> | Pairs of regular expressions and replacement expressions to apply to the username |
Properties
The following properties are commented out by default in conf/c14n/subject-c14n.properties:
Name | Type | Default | Description |
|---|
idp.c14n.simple.lowercase | Boolean | false | Whether to lowercase the username |
idp.c14n.simple.uppercase | Boolean | false | Whether to uppercase the username |
idp.c14n.simple.trim | Boolean | true | Whether to trim leading and trailing whitespace from the username |