...
A login flow is a subflow that is assigned a flow ID that starts with "authn/" and is further defined to the system with a bean of type net.shibboleth.idp.authn.AuthenticationFlowDescriptor in a list in conf/authn/general-authn.xml. It must generally be, further, enabled via the idp.authn.flows property.
| Note |
|---|
While you may deliver a custom flow in a relatively "drop-in", self-contained jar, you MAY NOT manipulate the state of the IdP at runtime to install the necessary descriptor bean because it is impossible to guarantee that your modification will take place early enough to be seen by other objects in the system. There is no publically supported mechanism to extend any of the beans defined inside the "root" web app context, and so you MUST rely on the deployer making the necessary adjustments to define custom flows to the system via the associated type of FlowDescriptor. |
Internal Contract
Login flows must interact with the system by accessing and mutating the context tree in specific ways.
...
The following events worthy of special note may occur as a result of invoking the subsystem:
| proceed | Successful authentication. |
| RestartAuthentication3.3 | Authentication should be repeated from scratch (including creation of a new AuthenticationContext and related content). |
| NoPotentialFlow | No authentication flow is configured for use. This can also indicate that a request for passive authentication prevented use of all the possible flows. |
| RequestUnsupported | No flow or active result met the requirements of a RequestedPrincipalContext. |
| NoCredentials | A flow was unable to extract or obtain credentials from the subject. |
| InvalidCredentials | A flow was unable to successfully validate credentials from the subject. Often this event and the previous event may be isolated within a flow because the subject is expected to keep trying, but there may be retry limits or other factors that will expose this condition. |
| SubjectCanonicalizationError | The Subject resulting from authentication couldn't be turned into a canonical principal name. |
Various other events signifying more low-level error conditions may also occur.
...
Success may populate a SessionContext as a child of the ProfileRequestContext.