The flow-specific properties usable via authn/authn.properties are: Name | Default | Description |
|---|
idp.authn.RemoteUser.externalAuthnPath | contextRelative:Authn/RemoteUser | Spring Web Flow redirection expression for the protected resource | idp.authn.RemoteUser.matchExpression | | Regular expression to match username agains | idp.authn.RemoteUser.checkRemoteUser | true | Whether to check for a username in REMOTE_USER | idp.authn.RemoteUser.checkAttributes | | Comma-delimited list of servlet request attributes to check for a username | idp.authn.RemoteUser.checkHeaders | | Comma-delimited list of request headers to check for a username | idp.authn.RemoteUser.subjectAttribute | | Name of a servlet request attribute to check for a Java Subject to bypass the rest of the servlet’s behavior | idp.authn.RemoteUser.authnMethodHeader | | Name of a request header to check for a compatible custom Principal value to attach to the Subject | idp.authn.RemoteUser.authnAuthorityHeader | | Name of a header to check for the name(s) of any proxied IdPs to include in the Subject |
The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
|---|
idp.authn.RemoteUser.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.RemoteUser.nonBrowserSupported | false | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.RemoteUser.passiveAuthenticationSupported | false | Whether the flow allows for passive authentication | idp.authn.RemoteUser.forcedAuthenticationSupported | false | Whether the flow supports forced authentication | idp.authn.RemoteUser.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.RemoteUser.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.RemoteUser.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.RemoteUser.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | idp.authn.RemoteUser.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | idp.authn.RemoteUser.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.RemoteUser.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.RemoteUser.subjectDecorator | | Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.RemoteUser.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.RemoteUser.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow | idp.authn.RemoteUser.c14n.flows 5.2 | | Comma-delimited list of c14n methods (beans) to run after use of this login flow |
Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML: | Code Block |
|---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list> |
In property form, this is expressed as (note especially the trailing commas, which MUST be there): | Code Block |
|---|
idp.authn.RemoteUser.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password |
|