The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
---|
idp.authn.DuoOIDC.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.DuoOIDC.nonBrowserSupported | false | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.DuoOIDC.passiveAuthenticationSupported | false | Whether the flow allows for passive authentication | idp.authn.DuoOIDC.forcedAuthenticationSupported | true | Whether the flow supports forced authentication | idp.authn.DuoOIDC.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.DuoOIDC.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.DuoOIDC.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.DuoOIDC.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | idp.authn.DuoOIDC.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | idp.authn.DuoOIDC.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.DuoOIDC.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.DuoOIDC.subjectDecorator |
| Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.DuoOIDC.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.DuoOIDC.addDefaultPrincipals 1.3.0 | falsetrue | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
As a non-password based flow, the supportedPrincipals property defaults to the following XML: Code Block |
---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"c:method="http://example.org/ac/classes/mfa" />
</list> |
In property form, this is expressed as: idp.authn.DuoOIDC.supportedPrincipals = saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa
However, this default is (obviously) intended purely as an illustrative example of how to define your own values, as there are no standard ones to use. |