Versions Compared

Old Version 22

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 23

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleProperties (V4.1+)

The flow-specific properties usable via authn/authn.properties are:

Name

Default

Description

idp.authn.SPNEGO.externalAuthnPath

/Authn/SPNEGO

Servlet-relative path to the SPNEGO external authentication implementation

idp.authn.SPNEGO.enforceRun

false

Whether to always try to run SPNEGO, independent of the user's auto-login setting (i.e., try to run for all users)

idp.authn.SPNEGO.refreshKrbConfig

false

Whether to reload the underlying Kerberos configuration (generally in /etc/krb5.conf) on every login attempt

idp.authn.SPNEGO.matchExpression

Regular expression to match username against

idp.authn.SPNEGO.cookieName 4.2

_idp_spnego_autologin

Name of cookie used to track auto-login state of client

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.SPNEGO.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.SPNEGO.nonBrowserSupported

false

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.SPNEGO.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.SPNEGO.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.SPNEGO.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.SPNEGO.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.SPNEGO.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.SPNEGO.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.SPNEGO.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.SPNEGO.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.SPNEGO.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.SPNEGO.subjectDecorator

Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.SPNEGO.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.SPNEGO.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:ietf:rfc:1510" />
</list>

In property form, this is expressed as (note the trailing commas):

Code Block
idp.authn.SPNEGO.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
    saml1/urn:ietf:rfc:1510

...