Page Comparison

• Changing IP address restrictions on access to "admin" URLs
• Defining rules for certain features such as impersonation

• Controlling the SAML Attributes provided to SPs during SSO or via a Query
• Limiting acceptance of SAML Attributes from a proxied IdP

• Customizing the location(s) from which to load mapping rules

• Obtaining or producing the SAML Attributes supported by the IdP
• Controlling pass-through or modification of proxied information

• Add or change audit log entry formats
• Add a custom audit field with Java or scripting

• Add additional signing or encryption keypairs
• Enable a second encryption key during a key rollover

• Map events to alternate view templates
• Control whether events short-circuit SAML responses or not
• Customize SAML and SOAP status codes

• Override built-in behavior of low-level components such as storage or session management
• Create utility bean definitions to help define other custom beans located elsewhere
• Override built-in global algorithm blacklist

• Add additional property files
• Set important global settings like the unique entityID of the IdP, the attribute qualifying scope/domain, pathnames and passwords for keys
• Change lots of globally significant settings

• Configure general LDAP location, credentials, and search properties
• Use separate directories for authentication and attribute lookup

• Change unusual logging levels, locations, file retention behavior
• Add custom log destinations (e.g., syslog)

• Add metadata sources
• Control metadata verification and filtering

• Mostly just for extension authors if they need to make changes or additions like adding MVC controllers or adding new view technologies

• Turn profiles on and off
• Customize profile features like signing and encryption, attribute push/pull
• Set preferred authentication types based on RP or profile
• Turn special intercept flows on and off (e.g. attribute consent, usage terms, permission checks)
• Enable "open" operation without requiring metadata for SPs

• Toggle between stateless and in-memory transient identifiers
• Toggle between hash-generated and database-backed persistent/pairwise identifiers
• Change default NameID formats

• Turn on or off transient and persistent identifier support
• Configure custom NameIDs based on resolved attributes

• Setting various passwords present in a default install
• Adding additional passwords in the future

• Customize the reloadability of various service configurations
• Control fail-fast behavior at startup
• Override the resources that configure services without editing services.xml

• Add or change resources loaded to configure metadata, relying party settings, attribute resolution and filtering, and other services
• Add Spring configuration in support of advanced resources like Subversion files or HTTP resource requirements such as TLS certificate checking

• Adding session types and logout configuration for new extension features not built-in to the IdP software

admin/
general-admin.xml

admin/admin.properties ^4.1

• Customize flow settings such as authentication or access control rules

• Enable or disable metrics
• Configure metric reporting features
• Enable customized timers or counters

• Change default mappings
• Add or update language translations

• Add your own attribute mapping rules using property syntax

• Support non-exact matching between requested and supported authentication methods, such as indicating that a multi-factor method is "better than" a password
• Map SAML AuthnContext values while proxying

• Support a custom Event as the result of an authentication flow for error handling purposes

• Identifying URL of Discovery Service to use

• Integrate the IdP with Duo Security as a second factor, usually driven with the MFA login flow

• Connect the IdP to your Duo service as a registered Duo Security application

• Change the location of the external authentication servlet
• Map events for error handling purposes

• Specify a function implementation to return the user identity when using this login flow

• Add new authentication flows
• Customize flow settings such as timeouts, and mappings to protocol-specific authentication types/classes

• Create rules associating network ranges to principal names to login as

• Change the location of the JAAS config file
• Chain login module together across separate JAAS "application" entries

• Specify the JAAS login modules to use and their settings and associate them with "application" names

• Change some simple options like krb5.conf refresh and ticket caching

• Use more advanced search or bind strategies not supported by properties
• Configure support for communicating account state based on password or account policies

• Build scripted, dynamic workflows involving multiple login methods and other business logic

• Choose which back-end to validate the password with
• Control form field names
• Configure simple transforms of username entered
• Map Events and exception messages from back-ends for error-handling purposes

• Change the location of the protected location
• Map events for error handling purposes

• Configure use of headers or attributes to get username
• Configure simple transforms of username
• Limit usernames to accept

• Specify an IdP to use for proxying logins

auth/
spnego-authn-config.xml

• Kerberos service configuration
• Control the interaction of SPNEGO with password login

• Configure location of a template that prompts for a certificate
• Map events for error handling purposes

• Configure advanced rules for validating the certificate instead of relying on the container

• Remap usernames after login to different values derived from the attribute resolver

• Remap usernames after login to different values based on simple transforms

• or as flow control within the MFA feature

• Customize authn settings such as timeouts, and support for SAML AuthnContext classes for controlling login method selection

• Support a custom Event as the result of a canonicalization flow for error handling purposes

• Apply transforms to usernames after login
• Control mapping of username through attribute resolution
• Control username extraction from X.509 certificates

• Change how usernames are transformed after login
• Turn off legacy PrincipalConnector feature in Attribute Resolver
• Support Attribute Queries or other advanced SAML features based on custom identifier types

• Support X.509 certificate authentication and map part of subject DN or subjectAltNames into username

• Control the terms of use message to present based on the RP
• Control which attributes are subject to consent
• Change the audit logging formats and categories used by these consent features

• Configure the condition to apply to the request state before allowing it to continue, such as attribute(s) and value(s) to require for specific RPs

• Configure the attribute to check for, how to parse it, and how often to nag

• Configure the path to redirect to

• Configure the access control policies to apply to limit the use of the feature

• Support a custom Event as the result of an intercept flow for error handling purposes

intercept/
profile-intercept.xml

--------------------------------------------------------

• Add custom intercept flows developed locally
• Duplicate built-in flows to allow for specialized versions