Because there are a variety of different login methods, most of the actual configuration is documented in the relevant topics covering those methods, but there are a few general properties used, and a larger set of properties that control the management of sessions, which are of course related to authentication. The most important property to note, and the only one that MUST be set is the idp.authn.flows property. This is a regular expression that identifies the flows defined in general-authn.xml to enable. The expression applies only to the suffix of each flow ID (omitting the authn/ prefix), and the simplest way to express this is with a pipe (|) separated list of the flow names, e.g., flow1|flow2|flow3 Property / Type | Default | Function |
|---|
idp.authn.flows Regular Expression |
| Required, expression that identifies the login flows to globally enable | idp.authn.defaultLifetime Duration | PT60M | Default amount of time to allow reuse prior authentication flows, measured since first usage | idp.authn.defaultTimeout Duration | PT30M | Default inactivity timeout to prevent reuse of prior authentication flows, measured since last usage | idp.authn.favorSSO Boolean | false | Whether to prioritize prior authentication results when an SP requests more than one possible matching method | idp.authn.rpui Boolean | true | Whether to populate information about the relying party into the tree for user interfaces during login and interceptors | idp.authn.identitySwitchIsError Boolean | false | Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session. | idp.authn.overrideRequestedAuthnContext Boolean | false | Whether to override an explicit <RequestedAuthnContext> element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global setting applying to all SPs that may have such a profile configuration set. |
| Localtab live |
|---|
| active | true |
|---|
| title | Properties (V4.1+) |
|---|
|
| Note |
|---|
The properties prefixed by "idp.authn." have been moved by default to the new conf/authn/authn.properties file (together with a large set of additional method-specific ones documented elsewhere). Upgraded systems should take care to either ignore that new file, or explicitly bring it into use by moving any non-defaulted settings from idp.properties into it. The ReleaseNotes describe how to automatically load this, and any other, new property files. |
Because there are a variety of different login methods, most of the actual configuration is documented in the relevant topics covering those methods, but there are a few general properties used, and a larger set of properties that control the management of sessions, which are of course related to authentication. The most important property to note is the idp.authn.flows property. This is a regular expression that identifies the login flows to enable. The expression applies only to the suffix of each flow ID (omitting the authn/ prefix), and the simplest way to express this is with a pipe (|) separated list of the flow names, e.g., flow1|flow2|flow3 Note that as of V4.1, this property defaults to "Password" simply to ensure the system can minimally operate out of the box and because that's the most common method. Property / Type | Default | Function |
|---|
idp.authn.flows Regular Expression | Password | Regular expression that identifies the login flows to globally enable | idp.authn.defaultLifetime Duration | PT60M | Default amount of time to allow reuse prior authentication flows, measured since first usage | idp.authn.defaultTimeout Duration | PT30M | Default inactivity timeout to prevent reuse of prior authentication flows, measured since last usage | idp.authn.proxyRestrictionsEnforced Boolean | true | Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication | idp.authn.favorSSO Boolean | false | Whether to prioritize prior authentication results when an SP requests more than one possible matching method | idp.authn.rpui
Boolean | true | Whether to populate information about the relying party into the tree for user interfaces during login and interceptors | idp.authn.identitySwitchIsError Boolean | false | Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session | idp.authn.discoveryURL String |
| Provides a static discovery URL to use for external discovery; this property replaces the need for the XML-defined bean used in V4.0 for this purpose | idp.authn.overrideRequestedAuthnContext Boolean | false | Whether to override an explicit <RequestedAuthnContext> element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global setting applying to all SPs that may have such a profile configuration set. |
Beans related to general authentication configuration follow: | Bean ID | Type | Function |
|---|
shibboleth.AvailableAuthenticationFlows | List<AuthenticationFlowDescriptor> | List of descriptors enumerating the supported authentication flows that can be used (supplanted in V4.1 through autowiring of AuthenticationFlowDescriptor beans, but you may need to create this bean if you wish to extend/alter the system-defined beans) | shibboleth.AuthenticationPrincipalWeightMap | Map<Principal,Integer> | Map of weights to assign to particular custom Principal objects so that flows can pick an appropriate default Principal to associate with their result (see comment in file for more detail) | shibboleth.AuthenticationFlow | AuthenticationFlowDescriptor | Parent bean for defining new flow descriptors, generally only needed by extension developers or those wishing to override the system-defined XML | shibboleth.SAML2AuthnContextClassRef | AuthnContextClassRefPrincipal | Parent bean for attaching SAML 2.0 AuthnContextClassRef constants to flows | shibboleth.SAML2AuthnContextDeclRef | AuthnContextDeclRefPrincipal | Parent bean for attaching SAML 2.0 AuthnContextDeclRef constants to flows | shibboleth.SAML1AuthenticationMethod | AuthenticationMethodPrincipal | Parent bean for attaching SAML 1.1 AuthenticationMethod constants to flows | shibboleth.FixedAuthenticationEventStrategy | Function<ProfileRequestContext,String> | Function for producing a Spring WebFlow Event to signal from login flow validation actions to artifically test error or warning customizations. | The following beans are used to configure IdP Discovery when proxying. | Bean ID | Type | Function |
|---|
shibboleth.authn.discoveryURL | String | An explicit Discovery Service URL
(supplanted in V4.1 by the idp.authn.discoveryURL property) | shibboleth.authn.discoveryURLStrategy | Function<ProfileRequestContext,String> | A function to apply to produce the Discovery Service URL | The following beans are used to configure comparison rules for custom Principals to support rules for login flow selection when requests specify particular methods, as described in AuthenticationFlowSelection. | Bean ID | Type | Function |
|---|
shibboleth.AuthnComparisonRules | Map used as constructor argument to PrincipalEvalPredicateFactoryRegistry | Map of comparison rules | shibboleth.SAMLAuthnMethodExact
shibboleth.SAMLACClassRefExact
shibboleth.SAMLACDeclRefExact shibboleth.SAMLACClassRefMinimum
shibboleth.SAMLACDeclRefMinimum
shibboleth.SAMLACClassRefMaximum shibboleth.SAMLACDeclRefMaximum
shibboleth.SAMLACClassRefBetter
shibboleth.SAMLACDeclRefBetter | Pair<Class<? extends Principal>, String> | Pairs of custom Principal types and matching operators for all the SAML 1.1 and 2.0 principal and comparison types supported, used as keys for the shibboleth.AuthnComparisonRules map | shibboleth.ExactMatchFactory
shibboleth.InexactMatchFactory | PrincipalEvalPredicateFactory | Template beans for values of the shibboleth.AuthnComparisonRules map | shibboleth.BetterClassRefMatchFactory
shibboleth.MinimumClassRefMatchFactory
shibboleth.MaximumClassRefMatchFactory shibboleth.BetterDeclRefMatchFactory
shibboleth.MinimumDeclRefMatchFactory
shibboleth.MaximumDeclRefMatchFactory | PrincipalEvalPredicateFactory | Beans supplying matching rules for implementing SAML 2.0 "inexact" comparisons of AuthnContextClassRef or AuthnContextDeclRef constants | shibboleth.IgnoredContexts
| Collection<String> | A collection of SAML 2.0 AuthnContextClassRef or AuthnContextDeclRef values to ignore if found in an <AuthnRequest> message | shibboleth.PrincipalProxyRequestMappings | Map<Principal,Collection<Principal>> | Mapping rules for transforming values in requests into new values in proxied requests | shibboleth.PrincipalProxyResponseMappings | Map<Principal,Collection<Principal>> | Mapping rules for transforming values in proxied responses into new values |
|