Versions Compared

Old Version 12

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 13

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current File(s): conf/admin/admin.properties, conf/admin/hello-world.js, views/admin/hello.vm
Format: Native Spring, Velocity, Properties

Table of Contents

Overview

The "hello" or "hello world" flow is a feature provided to ease the initial deployment and testing of the core "back-end" behavior of the IdP, such as authentication and attribute resolution. Because it does not require an SP to function, it's possible to log in, resolve attributes, and dump the result to the user locally, which avoids the awkward "just testing" stage that has traditionally complicated the early use of the software.

...

If you prefer to customize this flow via XML or wish to apply settings not supported by properties, you can override the flow descriptor by creating your own bean (see the Flow Descriptor example in the Reference below.

The defaults assume that the rule for accessing the flow is that the user must login first, attributes will be resolved, and that a map entry will be defined in conf/access-control.xml keyed under "AccessByAdminUser" that defines who can access the flow. The access control features are described under AccessControlConfiguration, and are obviously fully generic (even wide open if desired).

...

One optional feature is support for a server-side scriptlet file in conf/admin/hello-world.js. If supplied, this is a script taking as input the ProfileRequestContext just prior to the completion of the flow. If the script returns a null value, the flow completes. If the script returns any other string value, the string will become an error "event" that completes the flow abnormally.

...

The user interface for this flow is supplied by the template in views/admin/hello.vm and the default view illustrates a simple dump of information from the authentication and attribute resolution process.

Reference

Localtabgroup
Localtab live
activetrue
titleProperties

The general properties configuring this flow via admin/admin.properties are:

Name

Default

Description

idp.Hello.logging

Hello

Audit log identifier for flow

idp.Hello.accessPolicy

AccessByAdminUser

Name of access control policy for request authorization

idp.Hello.authenticated

true

Whether authentication should be performed prior to access control evaluation

idp.Hello.nonBrowserSupported

false

Whether the flow should allow for non-browser clients during authentication

idp.Hello.resolveAttributes

true

Whether attributes should be resolved prior to access control evaluation

Localtab live
titleFlow Descriptor XML

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAdminFlows">
 
    <bean parent="shibboleth.AdminFlow"
        c:id="http://shibboleth.net/ns/profiles/hello"
        p:loggingId="%{idp.hello.logging:Hello}"
        p:policyName="%{idp.hello.accessPolicy:AccessByAdminUser}"
        p:nonBrowserSupported="%{idp.hello.nonBrowserSupported:false}"
        p:authenticated="%{idp.hello.authenticated:true}"
        p:resolveAttributes="%{idp.hello.resolveAttributes:true}" />
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/admin/general-admin.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.