...
| Code Block | ||
|---|---|---|
| ||
# Enable global cross-site request forgery mitigation for views. Default is off. idp.csrf.enabled = true # Name of the HTTP parameter that stores the CSRF token. #idp.csrf.token.parameter = csrf_token |
Excluding Views
FINSIHSometimes views do not require CSRF protection e.g. they do not submit sensitive information back to the IdP. Other times, views are involved in user flows that can not meaningfully benefit from the synchroniser token CSRF protection pattern employed by the IdP e.g. an external authentication servlet (see CSRF FlowExecutionListener testing for External Authentication). Such views can be excluded by annotating a view-state with a CSRF excluded metadata attribute in the flow XML configuration files. For example, to exclude an external authentication servlet:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<view-state id="ExternalTransfer" view="externalRedirect:#{T(net.shibboleth.idp.authn.ExternalAuthentication).getExternalRedirect(flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.authn.External.externalAuthnPathStrategy').apply(opensamlProfileRequestContext), flowExecutionContext.getKey().toString())}">
<attribute name="csrf_excluded" value="true" type="boolean"/> <!-- excludes attribute here -->
...
</view-state> |
When enabling CSRF protection, the idp.csrf.include.viewstates property should be uncommented, and the views you want to protect listed. At its simplest, the login page (DisplayUsernamePasswordPage view-state) should be included. However, the following can benefit from CSRF protection.
...