...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- NOTE: these example.org constants are examples and are not suitable for real use. -->
<bean id="MFASAML2Principal" parent="shibboleth.SAML2AuthnContextClassRef"
c:_0="http://example.org/ac/classes/mfa" />
<bean id="MFASAML1Principal" parent="shibboleth.SAML1AuthenticationMethod"
c:_0="http://example.org/ac/classes/mfa" />
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<!-- Require MFA with Shibboleth SSO profile. -->
<bean parent="Shibboleth.SSO">
<property name="defaultAuthenticationMethods">
<list>
<ref bean="MFASAML1Principal" />
</list>
</property>
</bean>
<!-- Require MFA with SAML 2 SSO profile. -->
<bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
<property name="defaultAuthenticationMethods">
<list>
<ref bean="MFASAML2Principal" />
</list>
</property>
</bean>
<!-- Return authentication methods from a function bean (not shown). -->
<bean parent="Shibboleth.SSO" p:defaultAuthenticationMethodsLookupStrategy-ref="PrincipalsFunction" />
</bean> |
...
TheĀ nameIDFormatPrecedence
property is a common way of controlling the type of SAML NameIdentifier / NameID included in a response, a common requirement of many commercial services. It is in fact the only way to force the use of the ill-advised "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
" Format, which it must be noted is very rarely needed, despite frequent mis-documentation to the contrary.
...