| Localtab |
|---|
| active | true |
|---|
| title | Properties |
|---|
|
| Localtab |
|---|
|
| id | FDXML |
|---|
title | Flow Descriptor XMLThe TOTP-specific properties defined are: | Name | Default | Description |
|---|
| idp.authn.TOTP.headerName | X-Shibboleth-TOTP | Name of request header to use for extracting non-browser submitted token codes | | idp.authn.TOTP.fieldName | tokencode | Name of HTML form field to use for locating browser-submitted token codes | | idp.authn.TOTP.tokenSeedAttribute | tokenSeeds | Name of IdPAttribute to resolve to obtain token seeds for users |
As a non-password based flow, the supportedPrincipals property defaults to the following XML: | Code Block |
|---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:HardwareToken" />
</list> |
In property form, this is expressed as: | Code Block |
|---|
idp.authn.TOTP.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, \
saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken |
| | Localtab |
|---|
|
The following beans exist or may be defined to customize the flow. They may be placed in conf/global.xml or another imported location.
| Name / Type | Default | Description |
|---|
shibboleth.authn.TOTP.SeedSource Consumer<ProfileRequestContext> | Use of Attribute Resolver | Overrides the component that populates seeds for a user into the context tree for validation of codes |
shibboleth.authn.TOTP.Authenticator net.shibboleth.idp.plugin.authn.totp.impl.TOTPAuthenticator | Google library-based implementation | Overrides the component that does validation of token codes |
shibboleth.authn.TOTP.AccountLockoutManager AccountLockoutManager | A lockout manager that, if defined, will enable account lockout feature | shibboleth.authn.TOTP.ClassifiedMessageMap Map<String,List<String>> | Built-in component | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. |
shibboleth.authn.TOTP.Validator CredentialValidator | Built-in component | Override of the core component that validates token codes |
shibboleth.authn.Duo.UsernameLookupStrategy Function<ProfileRequestContext,String> | CanonicalUsernameLookupStrategy | Optional bean to supply username |
shibboleth.authn.TOTP.resultCachingPredicate Predicate<ProfileRequestContext> | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | The general properties configuring this flow via authn/authn.properties are: | Name | Default | Description |
|---|
| idp.authn.TOTP.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | | idp.authn.TOTP.nonBrowserSupported | true | Whether the flow should handle non-browser request profiles (e.g., ECP) | | idp.authn.TOTP.passiveAuthenticationSupported | true | Whether the flow allows for passive authentication | | idp.authn.TOTP.forcedAuthenticationSupported | true | Whether the flow supports forced authentication | | idp.authn.TOTP.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | | idp.authn.TOTP.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | | idp.authn.TOTP.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | | idp.authn.TOTP.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | | idp.authn.TOTP.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | | idp.authn.TOTP.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | | idp.authn.TOTP.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | | idp.authn.TOTP.subjectDecorator |
| Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | | idp.authn.TOTP.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | | idp.authn.TOTP.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
As a non-password based flow, the supportedPrincipals property defaults to the following XML: | Code Block |
|---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:HardwareToken" />
</list> |
In property form, this is expressed as: | Code Block |
|---|
idp.authn.TOTP.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, \
saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken |
|