The Shibboleth IdP V4 software will leave support on September 1, 2024.

SubjectCanonicalizationConfiguration

Current File(s): conf/c14n/subject-c14n.xml
Format: Native Spring

Overview

Subject Canonicalization (often abbreviated as "c14n") is the process by which the IdP turns a "complex" representation of a subject identity (usually that of a user) into a simple username to normalize the value. Over time this mechanism may be applied to a variety of different scenarios, but initially there are two cases:

  1. Normalizing the authenticated Java Subject into a username (referred to as "post-login" canonicalization, see AuthenticationConfiguration)

  2. Mapping a SAML 1 <NameIdentifier> or SAML 2 <NameID> element into a username (referred to as NameID consumption, see NameIDConsumptionConfiguration)

The rest of this topic is mainly a high-level configuration reference. In most cases, the above topics are the ones to review when dealing with those specific use cases.

Subject Canonicalization is implemented using Spring Web Flow. Each method of canonicalizing "something" into a username is implemented as a subflow and described using a descriptor bean that tells the IdP how to run that flow.

The subject-c14n.xml file includes lists of descriptors that describe the possible flows available for the different cases.

General Configuration

The shibboleth.PostLoginSubjectCanonicalizationFlows bean is a list of the descriptor beans defining the post-login canonicalization flows available to run (case 1 above).

The shibboleth.SAMLSubjectCanonicalizationFlows bean is a list of the descriptor beans defining the SAML canonicalization flows available to run (case 2 above).

In the majority of cases, you won't need to add to either list, but if you were to build some kind of custom flow that perhaps relied on a web service or something of that nature, this is where it would be registered.

For further details, refer to the use case-specific topics noted earlier.

Reference

Beans

Bean ID

Type

Function

Bean ID

Type

Function

shibboleth.PostLoginSubjectCanonicalizationFlows

List<SubjectCanonicalizationFlowDescriptor>

List of flow descriptors enumerating the c14n flows to run on the result of the login process

shibboleth.SAMLSubjectCanonicalizationFlows

List<NameIDCanonicalizationFlowDescriptor>

List of flow descriptors enumerating the c14n flows to run on incoming Name Identifiers