FunctionPostLoginC14NConfiguration

This feature requires V5.2+ of the IdP software.

Current File(s): conf/c14n/subject-c14n.properties, conf/c14n/subject-c14n.xml
Format: Properties, Native Spring

1 Overview
2 Configuration
- 2.1 Method Settings
- 2.2 Enabling this Method
3 Reference

Overview

The “function” post-login subject c14n method is an extension point allowing a deployer-supplied Function bean to be provided to implement the subject c14n process. It’s primarily just a wrapper to implement some of the boilerplate needed so the deployer need only implement a basic function signature.

The Function provided must implement the signature Function<SubjectCanonicalizationContext,String> (notably the input is not the more typical ProfileRequestContext used throughout the IdP, though the input context is generally a child of that context so it can be accessed if needed).

Configuration

Method Settings

Use conf/c14n/subject-c14n.properties to configure this method, while defining the Function bean in conf/c14n/subject-c14n.xml. That bean ID (whatever it is) is the one you set the property idp.c14n.function.Functon to reference.

By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below, mostly as a convenience since one can certainly implement such features within the provided Function itself.

Enabling this Method

This method is enabled by setting a per-login-flow property in conf/authn/authn.properties that references it. The default bean ID of this method is “c14n/function”, so enabling it for a login flow looks like:

idp.authn.MFA.c14n.flows = c14n/function

It is possible to configure two (or more) instances of this method at the same time with different functions and settings. The default instance is configured with a set of global properties, so defining a second instance of it with different settings requires adding a bean to conf/c14n/subject-c14n.xml. This bean can be defined at the top level of the file and needs a unique ID to reference in the login flow property example above. It does not have to carry the “c14n/” prefix but this is useful for clarity.

As an example, to define a second instance with a unique function bean other than that defined via the idp.c14n.function.Function property:

<beanid="c14n/function2" parent="c14n/function"
  p:function-ref="my.CustomFunction2" />

That then allows you to reference “c14n/function2” in a login flow’s property as above.

Reference

Bean ID	Type	Description

Bean ID	Type	Description
c14n/function	FunctionSubjectCanonicalization	Built-in instance of this method, auto-configured by properties and other beans as described. Also allows reuse of this bean as a parent to define additional instances of this method with different settings.
shibboleth.c14n.function.Transforms	Pair<String,String>	Pairs of regular expressions and replacement expressions to apply to the result of the Function

The following properties are commented out in conf/c14n/subject-c14n.properties:

Name	Type	Default	Description

Name	Type	Default	Description
idp.c14n.function.lowercase	Boolean	false	Whether to lowercase the result
idp.c14n.function.uppercase	Boolean	false	Whether to uppercase the result
idp.c14n.function.trim	Boolean	true	Whether to trim leading and trailing whitespace from the result

Identity Provider 5