...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <!-- Require an explicit CA root on Duo AuthAPI calls. --> <bean id="shibboleth.authn.Duo.NonBrowser.HttpClientSecurityParameters" class="org.opensaml.security.httpclient.HttpClientSecurityParameters"> <property name="tLSTrustEngine"> <bean parent="shibboleth.StaticPKIXTrustEngine" p:trustedNames="*.duosecurity.com" p:checkNames="true"> <property name="certificates"> <list> <bean class="org.springframework.core.io.FileSystemResource" c:_0="%{idp.home}/credentials/duo-ca.pem"/> </list> </property> </bean> </property> </bean> <bean id="shibboleth.authn.Duo.NonBrowser.HttpClient" parent="shibboleth.NonCachingHttpClient" p:tLSSocketFactory-ref="shibboleth.SecurityEnhancedTLSSocketFactory" /> </beans> |
The use of a forward proxy for the Duo HTTP client is also possible:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize" default-destroy-method="destroy">
<!-- Use forward proxy. Additional properites are also available: connectionProxyUsername and connectionProxyPassword. -->
<bean id="shibboleth.authn.Duo.NonBrowser.HttpClient"
parent="shibboleth.NonCachingHttpClient"
p:connectionProxyHost="myproxy.example.com"
p:connectionProxyPort="1234" />
</beans> |
Additionally, any of the properities of the HttpClientBuilder may be used when create a custom=wired HTTP client instance.
Reference
Beans
The possible beans expected in authn/duo-authn-config.xml follow:
Bean ID | Type | Default | Function |
---|---|---|---|
shibboleth.authn.Duo.DuoIntegration | DuoIntegration | Derived from settings in duo.properties | Defines a single/static DuoWeb ntegration with Duo, you can override this bean to supply a non-property-configured alternative |
shibboleth.authn.Duo.NonBrowser.DuoIntegration 3.4 | DuoIntegration | Derived from settings in duo.properties | Defines a single/static AuthAPI integration with Duo, you can override this bean to supply a non-property-configured alternative |
shibboleth.authn.Duo.DuoIntegrationStrategy | Function<ProfileRequestContext,DuoIntegration> | Optional bean to supply the DuoWeb integration settings dynamically | |
shibboleth.authn.Duo.NonBrowser.DuoIntegrationStrategy 3.4 | Function<ProfileRequestContext,DuoIntegration> | Optional bean to supply the Duo AuthAPI integration settings dynamically | |
shibboleth.authn.Duo.UsernameLookupStrategy | Function<ProfileRequestContext,String> | CanonicalUsernameLookupStrategy | Optional bean to supply username |
shibboleth.authn.Duo.resultCachingPredicate | Predicate<ProfileRequestContext> | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | |
shibboleth.authn.Duo.addDefaultPrincipals | Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
shibboleth.authn.Duo.NonBrowser.HttpClient 3.4 | HttpClient | shibboleth.NonCachingHttpClient | Overrides the HttpClient implementation and settings to use for the AuthAPI (see HttpClientConfiguration) |
shibboleth.authn.Duo.NonBrowser.HttpClientSecurityParameters 3.4 | HttpClientSecurityParameters | Custom security settings for the AuthAPI calls (see HttpClientConfiguration) |
Properties
The properties defined in conf/authn/duo.properties follow:
Name | Type | Default | Function |
---|---|---|---|
idp.duo.apiHost | Hostname | DuoWeb API hostname assigned to the integration | |
idp.duo.applicationKey | String | A secret supplied by you and not shared with Duo; see https://duo.com/docs/duoweb, "Generate an akey". | |
idp.duo.integrationKey | String | DuoWeb integration key (supplied by Duo) | |
idp.duo.secretKey | String | DuoWeb secret key (supplied by Duo) | |
idp.duo.nonbrowser.apiHost 3.4 | Hostname | ${idp.duo.apiHost} | Duo AuthAPI hostname assigned to the integration |
idp.duo.nonbrowser.applicationKey 3.4 | String | a secret supplied by you and not shared with Duo; see https://duo.com/docs/duoweb, "Generate an akey". | |
idp.duo.nonbrowser.integrationKey 3.4 | String | Duo AuthAPI integration key (supplied by Duo) | |
idp.duo.nonbrowser.secretKey 3.4 | String | Duo AuthAPI secret key (supplied by Duo) | |
idp.duo.nonbrowser.header.factor 3.4 | String | X-Shibboleth-Duo-Factor | Name of HTTP request header for Duo AuthAPI factor |
idp.duo.nonbrowser.header.device 3.4 | String | X-Shibboleth-Duo-Device | Name of HTTP request header for Duo AuthAPI device ID or name |
idp.duo.nonbrowser.header.passcode 3.4 | String | X-Shibboleth-Duo-Passcode | Name of HTTP request header for Duo AuthAPI passcode |
idp.duo.nonbrowser.auto 3.4 | Boolean | true | Allow the factor to be defaulted in as "auto" if no headers are received |
idp.duo.nonbrowser.clientAddressTrusted 3.4 | Boolean | true | Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies |
The Duo provided properties will appear in the Duo administrative console:
V2 Compatibility
There is no equivalent V2 feature, apart from third party extensions.
Notes
None