...
In order to validate that a given user is allowed to use a certain context level, the MCB must be able to obtain the list from some source. This is done by tying in with the standard Shibboleth attribute-resolver.xml file. The value given here is the ID value of an attribute resolver rule that contains those choices. Once a user is authenticated, the attribute resolver will be called to resolve those values and use them in the decision making process.
principalAuthnContextRequired
| Code Block | ||
|---|---|---|
| ||
<!--
If set to FALSE, then if the user has no assigned contexts and the SP does not request one, then
successful authentication via the initial authentication will be returned to the SP as
successful. This in effect mimics the current Shibboleth behavior.
If set to TRUE, then a valid context for the user is always required.
-->
<principalAuthnContextRequired>true</principalAuthnContextRequired> |
This option allows the administrator to allow a user to successfully authenticate to a SP if the user does not have a context assigned to their identity in the IDMS and the SP does not request any context value. By setting this value to false, the behavior of regular Shibboleth authentication will be used. If the SP requests a context value, this option is ignored. If the user has a context assigned, this option is ignored.
maxFailures
| Code Block | ||
|---|---|---|
| ||
<!--
The maximum number of failures allowed a user before returning a SAML failure to the
relying party. Must be specified according to schema definition. Set to a value of -1
to allow an unlimited number of login failures.
-->
<maxFailures>3</maxFailures> |
...