Versions Compared

Version Old Version 2 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You may also dynamically derive the path to use, typically so that it can vary based on aspects of the request, by defining a bean named shibboleth.authn.External.externalAuthnPathStrategy of type Function<ProfileRequestContext,String>.

The shibboleth.authn.External.ClassifiedMessageMap is a map of exception/error messages to classified error conditions. You can make use of this map either by modifying it to understand the error or exception messages returned by your external code.

...

Expand
titleExternal interface with attributes in JSP
Code Block
languagejava
<%@ page pageEncoding="UTF-8" %>
<%@ page import="net.shibboleth.idp.authn.*" %>
<%@ page import="net.shibboleth.idp.attribute.*"%>
<%@ page import="net.shibboleth.idp.authn.principal.*"%>
<%@ page import="java.util.*"%>
<%@ page import="java.security.*"%>
<%@ page import="javax.security.auth.*"%>

<%
try {
    final String key = ExternalAuthentication.startExternalAuthentication(request);

    HashSet<Principal> principals=new HashSet<Principal>();

    principals.add(new UsernamePrincipal("bbarker"));

    //<DataConnector xsi:type="Subject" exportAttributes="mail eduPersonNickname" id="myId" />
    //<AttributeDefinition ... <InputDataConnector ref="myId" ...
    IdPAttribute attr=new IdPAttribute("eduPersonNickname");
    attr.setValues(Collections.singletonsingletonList(new StringAttributeValue("Bob Barker")));
    principals.add(new IdPAttributePrincipal(attr));

    attr=new IdPAttribute("mail");
    attr.setValues(Collections.singletonsingletonList(new StringAttributeValue("bbarker@example.org")));
    principals.add(new IdPAttributePrincipal(attr));

    request.setAttribute(ExternalAuthentication.SUBJECT_KEY,new Subject(false, principals, Collections.EMPTY_SET, Collections.EMPTY_SET));

    ExternalAuthentication.finishExternalAuthentication(key, request, response);

} catch (final ExternalAuthenticationException e) {
    throw new ServletException("Error processing external authentication request", e);
}
%>

...

On first access to the external resource, the request attributes below will be set.

Name

Type

Function

opensamlProfileRequestContext

ProfileRequestContext

Access to full request context tree

forceAuthn

Boolean

Whether the requester asked for re-authentication

isPassive

Boolean

Whether the requested asked for passive authentication

relyingParty

String

Name of the relying party requesting authentication

Outputs

Name

Type

Function

principalName          

String

Name of authenticated subject to use as the login result

principal

Principal

Java Principal object to use as the login result

subject

Subject

Java Subject object to use as the login result

authnError

String

Error message to return in place of a successful login

authnException

Exception

Explicit exception object to return in place of a successful login

authnInstant

Instant

Exact time of authentication to report back

authnAuthorities

Collection<String>

Ordered collection of URIs identifying upstream/proxied authenticating "authorities" used to authenticate the subject

attributes

Collection<IdPAttribute>

Collection of IdPAttribute objects to associate with the authenticated subject

doNotCache

Boolean

If true, prevents the result from being saved for future use for SSO

previousResult

Boolean

If true, the "new" AuthenticationResult is created with the "previousResult" flag set to true (mainly impacts auditing)

Only one "result" or error attribute should be set by the external code. Setting more than one has unspecified behavior. In most cases, a simple principalName should be returned on success, but you can return the more complex objects to pass back additional information such as public or private credentials or custom principal data.

Any IdPAttribute objects supplied will be processed by the AttributeFilter service as "inbound" data. If at least one value in the "authnAuthorities" attribute is supplied, it is set as the "issuer" of the attributes for the purposes of the filter evaluation.

Note that returning a Subject is often paired with setting the idp.authn.External.addDefaultPrincipals property to false, to dynamically establish Principal(s) representing the authentication method used without having them overwritten.

For example, your External flow's supportedPrincipals property might be defined to include both password and multi-factor authentication Principals (meaning it supports both methods), but you can return the specific method used at runtime in the Subject. For SAML 2.0, this is typically done (programmatically) by using the net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal class with the appropriate value from the standard or a deployment. Other classes in that package address SAML 1.1 and unusual SAML 2.0 use cases. For the built-in constants defined by the standard, there are Java constants available via org.opensaml.saml.saml2.core.AuthnContext.standard, there are Java constants available via org.opensaml.saml.saml2.core.AuthnContext.

Advanced Topics

Custom Events

The API supports the signaling of custom errors and exceptions. The main purpose of this feature is to support the signalling of custom events from the login flow by mapping these errors into custom Web Flow events that become the result of the login flow, and can be handled either via MFA scripting or used to control eventual error handling within the IdP.

The actual handling of custom events is discussed in the AuthenticationConfigurationtopic. To actually signal such an event, you need to utilize the so-called “classified message map” feature that is common to a number of login flows.

The input to the mapping process comes from the output attributes defined in the API above, either “authnError” or “authnException”. The value of the former, or the exception message contained in the latter, is the input string. The output of the mapping process is the event you want to signal. If you completely control the input value because you are creating it yourself in your code, then the simplest thing to do is simply use the desired event as the “authnError” value. However, you still need to create the mapping bean because the IdP doesn’t know this is the event you want to signal.

The mapping process is controlled by a map bean you must create, named shibboleth.authn.External.ClassifiedMessageMap, typically in global.xml. The map keys are the event(s) you want to signal, and the map values are a list of strings to test the input values against to produce that event. In the simplest case, these can be the same thing. The matching is by substring so if any part of the map’s values are found in the input string, it will map to that entry’s key.

For example, if you want to use an “authnError” value of “MyCustomEvent” or trap an exception message containing the string “Error message you don’t control”, your map would look like this:

Code Block
languagexml
<util:map id="shibboleth.authn.External.ClassifiedMessageMap">
  <entry key="MyCustomEvent">
    <list>
      <value>MyCustomEvent</value>
      <value>Error message you don't control</value>
    </list>
  </entry>
</util:map>

Reference

Expand
titleBeans

Beans that may be defined in global.xml follow:

Bean ID / Type

Default

Description

shibboleth.authn.External.externalAuthnPathStrategy

Function<ProfileRequestContext,String>

Optional function that returns the redirection expression to use for the protected resource

shibboleth.authn.External.ClassifiedMessageMap

Map<String,List<String>>Remaps NoCredentials and InvalidCredentials into ReselectFlow for fall-through behavior

A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. See section above on Custom Events.

shibboleth.authn.External.resultCachingPredicate

Predicate<ProfileRequestContext>

Optional bean that can be defined to control whether to preserve the authentication result in an IdP session

...

Expand
titleFlow Descriptor XML

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/External" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.External.order:1000}"
            p:nonBrowserSupported="%{idp.authn.External.nonBrowserSupported:false}"
            p:passiveAuthenticationSupported="%{idp.authn.External.passiveAuthenticationSupported:false}"
            p:forcedAuthenticationSupported="%{idp.authn.External.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.External.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.External.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.External.discoveryRequired:false}"
            p:lifetime="%{idp.authn.External.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.External.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.External.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.External.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:subjectDecorator-ref="#{getObject('%{idp.authn.External.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.External.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V5, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...