...
In earlier versions, you would need to edit the Duo flow descriptor bean and set the addDefaultPrincipals property to false in conf/authn/general-authn.xml.
DuoOIDC Use
The example works essentially the same for the Universal Prompt plugin, but due to a bug, the plugin doesn’t actually support a property for turning off the addDefaultPrincipals property yet (a bug has been filed and will be fixed in a subsequent patch). There is a bit of a complex rule used by the plugin now to decide how to set that property and a workaround for now (that avoids the need to declare the whole flow descriptor somewhere) is to add this additional function to conf/authn/duo-oidc-authn-config.xml:
| Code Block |
|---|
<!-- Need this to override addDefaultPrincipals behavior. -->
<bean id="shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy" parent="shibboleth.Functions.Constant">
<constructor-arg>
<null/>
</constructor-arg>
</bean> |
That function hook provides a more advanced way to derive the right set of Principals to attach at runtime, but using a null function tricks the plugin into not automatically adding any, allowing the per-integration Principals to be added instead. Even after the bug is fixed, that won’t break.