/
SubjectCanonicalizationConfiguration

SubjectCanonicalizationConfiguration

Owned by Scott Cantor
Last updated: Mar 04, 2025
2 min read

Current File(s): conf/c14n/subject-c14n.xml
Format: Native Spring

Overview

Subject Canonicalization (often abbreviated as "c14n") is the process by which the IdP turns a "complex" representation of a subject identity into a simple username to normalize the value. Over time this mechanism may be applied to a variety of different scenarios, but initially there are two predominant cases:

  1. Normalizing the authenticated Java Subject into a username (referred to as "post-login" canonicalization, see AuthenticationConfiguration)

  2. Mapping a SAML 1 <NameIdentifier> or SAML 2 <NameID> element into a username (referred to as NameID consumption, see NameIDConsumptionConfiguration)

The rest of this topic is mainly a high-level configuration reference. In most cases, the above topics are the ones to review when dealing with those specific use cases.

Subject Canonicalization is implemented using a combination of Java and Spring Web Flow. Each method of canonicalizing "something" into a username is implemented as a subflow, or as of V5.2 optionally as a simple Java class. Either case is defined to the system using a descriptor bean that tells the IdP how to run that flow or execute that class.

The descriptors are by and large meant to be defined internally to the system, and referenced by user configuration, but in some cases may also be explicitly defined by a deployer for more advanced customization.

The subject-c14n.xml file is the primary location in which the default configuration lives, and is a good choice to use when adding deployer-specific beans related to this feature.

General Configuration

The shibboleth.PostLoginSubjectCanonicalizationFlows bean is a list (now somewhat historical with V5.2) of the descriptor beans defining the post-login canonicalization flows available to run (case 1 above). With V5.2, the system supports a more dynamic approach to registering these, and has a simpler way to configure them for use with each login flow/method. The documentation covers the old and newer approaches in these subtopics:

The shibboleth.SAMLSubjectCanonicalizationFlows bean is a list of the descriptor beans defining the SAML canonicalization flows available to run (case 2 above). It remains the standard way to configure that use case, via a chain of supported methods.

For further details, refer to the use case-specific topics noted earlier.

Reference

Beans

Bean ID

Type

Function

Bean ID

Type

Function

shibboleth.PostLoginSubjectCanonicalizationFlows

List<SubjectCanonicalizationFlowDescriptor>

List of flow descriptors enumerating the c14n flows to run on the result of the login process

shibboleth.SAMLSubjectCanonicalizationFlows

List<NameIDCanonicalizationFlowDescriptor>

List of flow descriptors enumerating the c14n flows to run on incoming Name Identifiers

 

Related content