We've seen using the name of the java security context as the value for all attributes, instead of the attribute values retrieved from the resolver. e.g.
2017-05-15 09:53:41,018 - DEBUG [net.shibboleth.idp.oidc.flow.PreAuthorizeUserApprovalAction:201] - xxx.xxx.xxx.xxx - Stored authentication [net.shibboleth.idp.oidc.client.userinfo.authn.SpringSecurityAuthenticationToken@67ea9dde: Principal: net.shibboleth.idp.authn.context.SubjectContext@1d62f620; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@44eca05e: Username: net.shibboleth.idp.authn.context.SubjectContext@76972061; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER, AuthenticationClassRefAuthority,urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, AuthenticationMethodRefAuthority,authn/RemoteUserInternal] into Spring security context 2017-05-15 09:53:41,817 - DEBUG [net.shibboleth.idp.oidc.client.userinfo.ShibbolethUserInfoRepository:130] - xxx.xxx.xxx.xxx - Final userinfo object constructed from attributes is {"sub":"net.shibboleth.idp.authn.context.SubjectContext@76972061","name":null,"preferred_username":"net.shibboleth.idp.authn.context.SubjectContext@76972061","given_name":null,"family_name":null,"middle_name":null,"nickname":null,"profile":null,"picture":null,"website":null,"gender":null,"zoneinfo":null,"locale":null,"updated_at":null,"birthdate":null,"email":null,"email_verified":null,"phone_number":null,"phone_number_verified":null}
vs
We've seen using the name of the java security context as the value for all attributes, instead of the attribute values retrieved from the resolver. e.g.
2017-05-15 09:53:41,018 - DEBUG [net.shibboleth.idp.oidc.flow.PreAuthorizeUserApprovalAction:201] - xxx.xxx.xxx.xxx - Stored authentication [net.shibboleth.idp.oidc.client.userinfo.authn.SpringSecurityAuthenticationToken@67ea9dde: Principal: net.shibboleth.idp.authn.context.SubjectContext@1d62f620; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@44eca05e: Username: net.shibboleth.idp.authn.context.SubjectContext@76972061; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER, AuthenticationClassRefAuthority,urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, AuthenticationMethodRefAuthority,authn/RemoteUserInternal] into Spring security context 2017-05-15 09:53:41,817 - DEBUG [net.shibboleth.idp.oidc.client.userinfo.ShibbolethUserInfoRepository:130] - xxx.xxx.xxx.xxx - Final userinfo object constructed from attributes is {"sub":"net.shibboleth.idp.authn.context.SubjectContext@76972061","name":null,"preferred_username":"net.shibboleth.idp.authn.context.SubjectContext@76972061","given_name":null,"family_name":null,"middle_name":null,"nickname":null,"profile":null,"picture":null,"website":null,"gender":null,"zoneinfo":null,"locale":null,"updated_at":null,"birthdate":null,"email":null,"email_verified":null,"phone_number":null,"phone_number_verified":null}
vs2017-09-22 11:54:47,944 - DEBUG [net.shibboleth.idp.oidc.flow.PreAuthorizeUserApprovalAction:201] - - Stored authentication [net.shibboleth.idp.oidc.client.userinfo.authn.SpringSecurityAuthenticationToken@2179319c: Principal: net.shibboleth.idp.authn.context.SubjectContext@656433ac; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.core.userdetails.User@6231f29: Username: bjensen; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Granted Authorities: ROLE_USER] into Spring security context
This hasn't happened frequently, but we'd like to understand the cause. idp-process.log