Versions Compared

Old Version 282

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 283

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleProperties (General)

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.DuoOIDC.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.DuoOIDC.nonBrowserSupported

false

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.DuoOIDC.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.DuoOIDC.forcedAuthenticationSupported

true

Whether the flow supports forced authentication

idp.authn.DuoOIDC.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.DuoOIDC.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.DuoOIDC.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.DuoOIDC.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.DuoOIDC.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.DuoOIDC.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.DuoOIDC.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.DuoOIDC.subjectDecorator


Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.DuoOIDC.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.DuoOIDC.addDefaultPrincipals 1.3.0

falsetrue

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML: 

Code Block
languagexml
<list>
  <bean parent="shibboleth.SAML2AuthnContextClassRef"c:classRef="http://example.org/ac/classes/mfa" />
  <bean parent="shibboleth.SAML1AuthenticationMethod"c:method="http://example.org/ac/classes/mfa" />
</list>

In property form, this is expressed as:

idp.authn.DuoOIDC.supportedPrincipals = saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa

However, this default is (obviously) intended purely as an illustrative example of how to define your own values, as there are no standard ones to use.

...