Page Comparison

...

Expand

Code Block

language	xml

<!-- Turn off default behavior in favor of integration-specific principals below. -->
<util:constant id="shibboleth.authn.Duo.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />

<bean id="DefaultDuo" classparent="net.shibboleth.idp.authn.duoDuo.BasicDuoIntegrationDuoIntegration"
		p:APIHost="%{idp.duo.apiHost:none}"
		p:applicationKey="%{idp.duo.applicationKey:none}"
		p:integrationKey="%{idp.duo.integrationKey:none}"
		p:secretKey="%{idp.duo.secretKey:none}">
	<property name="supportedPrincipals">
		<list>
			<bean parent="shibboleth.SAML2AuthnContextClassRef"
				c:classRef="http://example.org/ac/classes/mfa/default" />
			<bean parent="shibboleth.SAML1AuthenticationMethod"
				c:method="http://example.org/ac/classes/mfa/default" />
		</list>
	</property>
</bean>

<bean id="SpecialDuo" classparent="net.shibboleth.idp.authn.duoDuo.BasicDuoIntegrationDuoIntegration"
		p:APIHost="%{idp.specialduo.apiHost:none}"
		p:applicationKey="%{idp.specialduo.applicationKey:none}"
		p:integrationKey="%{idp.specialduo.integrationKey:none}"
		p:secretKey="%{idp.specialduo.secretKey:none}">
	<property name="supportedPrincipals">
		<list>
			<bean parent="shibboleth.SAML2AuthnContextClassRef"
				c:classRef="http://example.org/ac/classes/mfa/special" />
			<bean parent="shibboleth.SAML1AuthenticationMethod"
				c:method="http://example.org/ac/classes/mfa/special" />
		</list>
	</property>
</bean>

<util:list id="DuoIntegrationList">
	<ref bean="SpecialDuo" />
	<ref bean="DefaultDuo" />
</util:list>

<bean id="shibboleth.authn.Duo.DuoIntegrationStrategy" parent="shibboleth.ContextFunctions.Scripted"
		factory-method="inlineScript"
        p:customObject-ref="DuoIntegrationList">
	<constructor-arg>
		<value>
		<![CDATA[
		duo = null;
		authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
		iter = custom.iterator();
		while (duo == null && iter.hasNext()) {
			duo = iter.next();
			if (!authCtx.isAcceptable(duo)) {
				duo = null;
			}
		}
		duo;
		]]>
		</value>
	</constructor-arg>
</bean>

...

Expand

Code Block

language	xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

    default-init-method="initialize" default-destroy-method="destroy">

    <!-- Require an explicit CA root on Duo AuthAPI calls. -->

    <bean id="shibboleth.authn.Duo.NonBrowser.HttpClientSecurityParameters"
            class="org.opensaml.security.httpclient.HttpClientSecurityParameters">
        <property name="tLSTrustEngine">
            <bean parent="shibboleth.StaticPKIXTrustEngine"
                p:trustedNames="*.duosecurity.com"
                p:checkNames="true">
				<property name="certificates">
					<list>
						<bean class="org.springframework.core.io.FileSystemResource"
							c:_0="%{idp.home}/credentials/duo-ca.pem"/>
					</list>
				</property>
			</bean>
		</property>
    </bean>
    
    <bean id="shibboleth.authn.Duo.NonBrowser.HttpClient"         
parent="shibboleth.HttpClientFactory"
        p:connectionTimeout="%{idp.httpclient.connectionTimeout:PT1M}"
        p:connectionRequestTimeout="%{idp.httpclient.connectionRequestTimeout:PT1M}"
        p:socketTimeout="%{idp.httpclient.socketTimeout:PT1M}" 
        p:maxConnectionsTotal="%{idp.httpclient.maxConnectionsTotal:100}"
        p:maxConnectionsPerRoute="%{idp.httpclient.maxConnectionsPerRoute:100}"
        p:tLSSocketFactory-ref="shibboleth.SecurityEnhancedTLSSocketFactory" />

</beans>

...

Expand

title	Beans

The beans defined, or expected to be defined, in authn/duo-authn-config.xml follow:

Bean ID / Type	Default	Description
shibboleth.authn.Duo.DuoIntegration DuoIntegration	Derived from settings in duo.properties	Defines a single/static DuoWeb ntegration with Duo, you can override this bean to supply a non-property-configured alternative or inherit from it to create additional ones
shibboleth.authn.Duo.NonBrowser.DuoIntegration DuoIntegration	Derived from settings in duo.properties	Defines a single/static AuthAPI integration with Duo, you can override this bean to supply a non-property-configured alternative or inherit from it to create additional ones
shibboleth.authn.Duo.DuoIntegrationStrategy Function<ProfileRequestContext,DuoIntegration>		Optional bean to supply the DuoWeb integration settings dynamically
shibboleth.authn.Duo.NonBrowser.DuoIntegrationStrategy Function<ProfileRequestContext,DuoIntegration>		Optional bean to supply the Duo AuthAPI integration settings dynamically
shibboleth.authn.Duo.UsernameLookupStrategy Function<ProfileRequestContext,String>	CanonicalUsernameLookupStrategy	Optional bean to supply username
shibboleth.authn.Duo.resultCachingPredicate Predicate<ProfileRequestContext>		An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
shibboleth.authn.Duo.addDefaultPrincipals Boolean	true	Whether to add the content of the `supportedPrincipals` property of the underlying flow descriptor to the resulting Subject
shibboleth.authn.Duo.NonBrowser.HttpClient HttpClient	Internal/default HttpClient instance	Overrides the HttpClient implementation and settings to use for the AuthAPI (see HttpClientConfiguration)
shibboleth.authn.Duo.NonBrowser.HttpClientSecurityParameters HttpClientSecurityParameters		Custom security settings for the AuthAPI calls (see HttpClientConfiguration)

...

Versions Compared

Old Version 21

New Version 22

Key