Versions Compared

Old Version 7

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 8

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For more advanced cases or to improve efficiency, a bean can be defined for a script or Java logic that defines the condition to evaluate to decide on reuse, and you can attach that bean by name.

Reference

Localtabgroup
Localtab
activetrue
titleBeans (V4.0)

The beans defined in authn/mfa-authn-config.xml follow:

Bean ID / TypeDefault

...

Description

shibboleth.authn.MFA.TransitionMap

Map<String,MultiFactorAuthenticationTransition>


Static ruleset containing the starting point for MFA execution and the rules to use to decide how to do work

shibboleth.authn.MFA.TransitionMapStrategy

Function<ProfileRequestContext,Map<String,MultiFactorAuthenticationTransition>


Optional function bean to return the ruleset to use instead of using a static ruleset

shibboleth.authn.MFA.Transition

MultiFactorAuthenticationTransition


Parent bean for defining transition rules in the values of the previous bean's map entries

shibboleth.authn.MFA.validateLoginTransitions

Boolean

trueWhether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions

shibboleth.authn.MFA.resultMergingStrategy

Function<ProfileRequestContext,AuthenticationResult>

described aboveFunction to run to produce final merged result of MFA login flow during successful completion

shibboleth.authn.MFA.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

...

Notes

...

Localtab
titleBeans (V4.1+)

The beans defined in authn/mfa-authn-config.xml follow:

Bean ID / TypeDefaultDescription

shibboleth.authn.MFA.TransitionMap

Map<String,MultiFactorAuthenticationTransition>


Static ruleset containing the starting point for MFA execution and the rules to use to decide how to do work

shibboleth.authn.MFA.TransitionMapStrategy

Function<ProfileRequestContext,Map<String,MultiFactorAuthenticationTransition>


Optional function bean to return the ruleset to use instead of using a static ruleset

shibboleth.authn.MFA.Transition

MultiFactorAuthenticationTransition


Parent bean for defining transition rules in the values of the previous bean's map entries

shibboleth.authn.MFA.resultMergingStrategy

Function<ProfileRequestContext,AuthenticationResult>

described aboveFunction to run to produce final merged result of MFA login flow during successful completion

shibboleth.authn.MFA.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
Localtab
titleProperties (V4.1+)

Properties specific to this flow defined in authn/authn.properties are:

NameDefaultDescription
idp.authn.MFA.validateLoginTransitionstrueWhether login flows should only be run with regard for forceAuthn/isPassive/nonBrowser (and similar) conditions

Notes

It's been observed, accurately, that the data required to track the use of this feature in the session cache is on the order of 2-3 times as large as just a "simple" authentication result. While it is believed that this remains acceptable with the use of cookies, and certainly with HTML Storage, some storage service implementations such as that forĀ Memcached rely on a less reliable persistence model that may prematurely evict data, so such options may not be a good fit with this feature.

...