Versions Compared

Old Version 256

changes.mady.by.user Philip Smart

Saved on

compared with

New Version 257

changes.mady.by.user Philip Smart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleBeans (General)

Bean ID / Type

Default

Description

shibboleth.authn.DuoOIDC.DuoIntegration

DuoOIDCIntegration

Derived from properties in conf/authn/duo-oidc.properties

Defines a single/static Duo OIDC Integration with Duo, you can override this bean to supply a non-property-configured alternative

shibboleth.authn.DuoOIDC.DuoIntegrationStrategy

Function<ProfileRequestContext,DuoOIDCIntegration>


Optional bean to supply the Duo OIDC integration settings dynamically

shibboleth.authn.DuoOIDC.UsernameLookupStrategy

Function<ProfileRequestContext,String>

CanonicalUsernameLookupStrategy

Optional bean to supply username

shibboleth.authn.DuoOIDC.resultCachingPredicate

Predicate<ProfileRequestContext>

shibboleth.Conditions.TRUE

Bean ID controlling whether to preserve the authentication result in an IdP session

shibboleth.authn.DuoOIDC.CleanUpHook

Consumer<ProfileRequestContext>

Bean that removes the DuoOIDAuthenticationContext from the tree

A cleanup hook that is executed on successful authentication.

shibboleth.authn.DuoOIDC.jwt.claims.CleanUpHook

Consumer<ProfileRequestContext>

Bean that removes the nonce value from the DuoOIDAuthenticationContext

A cleanup hook to execute after either successful or unsuccessful claims validation

shibboleth.authn.DuoOIDC.DuoTokenClaimsVerifier

JWTClaimsValidation

DefaultDuoTokenClaimsVerifier Claims verification in accordance with the Duo specification. Also OIDC compliant for the special Duo id_token case.

Duo result token (OIDC id_token) claims verifier using a 'chain' of ClaimsValidators e.g. audience, issuer, expiration checks etc. You can either replace the claims validator completely, change some of the behavior of existing validators individually, or add to a new validation check using a custom BiFunction, see shibboleth.authn.DuoOIDC.ExtendedClaimsValidator.

shibboleth.authn.DuoOIDC.jwt.IssuerLookupStrategy

BiFunction<ProfileRequestContextJWTClaimsSetString>

Combines the HTTPS scheme, with the Duo API Hostname, and the Duo token IssuerPath.

Lookup strategy that returns the OIDC issuer. An issuer contains the scheme, host, and optionally, port and path components that identify the id_token issuer.

shibboleth.authn.DuoOIDC.jwt.AudienceLookupStrategy

BiFunction<ProfileRequestContext,JWTClaimsSetString>

The clientID of the Duo Integration pertaining to the request.

Lookup the client_id for the Relying Party.

shibboleth.authn.DuoOIDC.jwt.UsernameLookupStrategy

BiFunction<ProfileRequestContext,JWTClaimsSetString>

The authenticating principal's username from the context pertaining to the request.

Lookup the authenticating principal's username to match Duo's preferred_username field in the id_token.

shibboleth.authn.DuoOIDC.jwt.AuthTimeActivationCondition

BiPredicate<ProfileRequestContext,JWTClaimsSet>

Returns true if forced authentication has been requested by the Relying Party.

Should the auth_time field be validated for the given request?

shibboleth.authn.DuoOIDC.jwt.NonceLookupStrategy

BiFunction<ProfileRequestContext,JWTClaimsSetString>

The nonce that was used in the authorization request and stored in the Duo authentication context.

Lookup the nonce that was used in the authorization request and should be present in the id_token.

shibboleth.authn.DuoOIDC.jwt.NonceActivationCondition

BiPredicate<ProfileRequestContext,JWTClaimsSet>

Returns true iff the id_token contains a nonce.

Should we validate the nonce value in the id_token?

shibboleth.authn.DuoOIDC.RequiredOIDCClaims

Set<String>

Used by the DefaultDuoTokenClaimsVerifier above. Defaults to those claims required by the OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html#IDToken)

The names of the claims required to be present in the Duo result token (OIDC id_token).

shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy

Function<ProfileRequestContext,Collection<Principal>>


Map information in the ProfileRequestContext, most likely in the Duo result id_token, to a collection of Principals the execution of the flow supports. See this advanced topic.

shibboleth.authn.DuoOIDC.ExtendedClaimsValidator

BiFunction<JWTClaimsSet,ProfileRequestContext,JWTValidationException>


Optional BiFunction extension point for custom claims validation of the Duo token

shibboleth.authn.DuoOIDC.PreDuoPopulateAuditExtractors1.3.0

Map<String,Function<ProfileRequestContext,Object>>

List of Pre-Duo 2FA redirect audit extractors that take the profile request context and return an object (likely a String) to append to the log statement.

shibboleth.authn.DuoOIDC.PostDuoPopulateAuditExtractors1.3.0

Map<String,Function<ProfileRequestContext,Object>>

List of Post-Duo 2FA audit extractors that take the profile request context and return an object (likely a String) to append to the log statement.

shibboleth.authn.DuoOIDC.AuditFormattingMap1.3.0

Map<String, String>

Map of logging categories to audit formatting strings for Duo 2FA audit logging

Expand
titleBeans (Duo WebSDK)

These beans are specific to the Duo WebSDK-based plugin only:

Bean ID / Type

Default

Description

shibboleth.authn.DuoOIDC.sdk.TrustedCertificates

List<String>

DefaultTrustedCertificates

A default list of trust root CA public key hashes. See HTTP Public Key Pinning

...

Expand
titleProperties (DuoOIDC-Specific)

The DuoOIDC-specific properties defined in conf/authn/duo-oidc.properties follow:

Name

Default

Description

idp.duo.oidc.apiHost

DuoOIDC API hostname assigned to the integration

idp.duo.oidc.clientId

The OAuth 2.0 Client Identifier valid at the Authorization Server

idp.duo.oidc.redirectURL

Redirection URI to which the 2FA response will be sent

idp.duo.oidc.redirecturl.allowedOrigins


If the idp.duo.oidc.redirectURL is not set, one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.

idp.duo.oidc.secretKey


The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).

idp.duo.oidc.endpoint.health

/oauth/v1/health_check

Duo's OAuth 2.0 health check endpoint

idp.duo.oidc.endpoint.token

/oauth/v1/token

Duo's OAuth 2.0 token endpoint

idp.duo.oidc.endpoint.authorize

/oauth/v1/authorize

Duo's OAuth 2.0 authorization endpoint

idp.duo.oidc.jwt.verifier.clockSkew

PT60S

Leeway allowed in token expiry calculations

idp.duo.oidc.jwt.verifier.iatWindow

PT60S

Maximum amount (in either direction from now) of duration for which a token is valid after it is issued

idp.duo.oidc.jwt.verifier.issuerPath

/oauth/v1/token

The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://<idp.duo.oidc.apiHost>+<idp.duo.oidc.jwt.verifier.issuerPath>

idp.duo.oidc.jwt.verifier.preferredUsername

preferred_username

The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.

idp.duo.oidc.jwt.verifier.authLifetime

PT60S

How long the authentication is valid. Only applies to forced authentication requests.

The properties below are used when enabling non-browser / AuthAPI support:

idp.duo.oidc.nonbrowser.apiHost

${idp.duo.oidc.apiHost}

Duo AuthAPI hostname assigned to the integration

idp.duo.oidc.nonbrowser.integrationKey

Duo AuthAPI integration key (supplied by Duo)

idp.duo.oidc.nonbrowser.secretKey

Duo AuthAPI secret key (supplied by Duo)

idp.duo.oidc.nonbrowser.header.factor

X-Shibboleth-Duo-Factor

Name of HTTP request header for Duo AuthAPI factor

idp.duo.oidc.nonbrowser.header.device

X-Shibboleth-Duo-Device

Name of HTTP request header for Duo AuthAPI device ID or name

idp.duo.oidc.nonbrowser.header.passcode

X-Shibboleth-Duo-Passcode

Name of HTTP request header for Duo AuthAPI passcode

idp.duo.oidc.nonbrowser.auto

true

Allow the factor to be defaulted in as "auto" if no headers are received

idp.duo.oidc.nonbrowser.clientAddressTrusted

true

Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies

idp.authn.DuoOIDC.addDefaultPrincipals1.3.0

true

If set to false this will prevent the addition of the default principals even if a ContextToPrincipalMappingStrategy is not set. Previous to 1.3.0 if the ContextToPrincipalMappingStrategy was not set the default principals would always have been added, you can now control that by setting this to false.

idp.duo.oidc.healthcheck.enabled1.3.0

true

Perform the Duo health check for every 2FA request? Defaults to true because this is the standard Duo workflow.

Expand
titleProperties (Nimbus)

The below table are properties that only apply to the Shibboleth Nimbus plugin:

Name

Default

Description

idp.duo.oidc.connectionTimeout

defaults to the global HttpClient options in services.properties (PT1M)

Maximum length of time to wait for the connection to be established

idp.duo.oidc.connectionRequestTimeout

defaults to the global HttpClient options in services.properties (PT1M)

Maximum length of time to wait for a connection to be returned from the connection manager

idp.duo.oidc.socketTimeout

defaults to the global HttpClient options in services.properties (PT1M)

Maximum period inactivity between two consecutive data packets

idp.duo.oidc.maxConnectionsTotal

defaults to the global HttpClient options in services.properties (100)

Max total simultaneous connections allowed by the pooling connection manager

idp.duo.oidc.maxConnectionsPerRoute

defaults to the global HttpClient options in services.properties (100)

Max simultaneous connections per route allowed by the pooling connection manager

idp.duo.oidc.nimbus.checkRevocation

false

To enable certificate revocation checking. See Certificate Revocation Checking

...