Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

File

Description

views/totp.vm

View template for dedicated prompt for token code

views/totp-error.vm

View template for reporting errors with code validation

bin/totptotpauth.sh

Shell script for testing token code validation

bin/totptotpauth.bat

Batch script for testing token code validation

...

Expand
titleProperties

The TOTP-specific properties defined are:

Name

Default

Description

idp.authn.TOTP.headerName

X-Shibboleth-TOTP

Name of request header to use for extracting non-browser submitted token codes

idp.authn.TOTP.fieldName

tokencode

Name of HTML form field to use for locating browser-submitted token codes

idp.authn.TOTP.tokenSeedAttribute

tokenSeeds

Name of IdPAttribute to resolve to obtain token seeds for users

idp.authn.TOTP.windowSize 2.2

3

Number of “windows” to allow in clock drift between the server’s time and the token’s time

idp.authn.TOTP.timeStepSize 2.2

30000

Time in milliseconds for each “window” of time (see previous setting)

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.TOTP.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.TOTP.nonBrowserSupported

true

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.TOTP.passiveAuthenticationSupported

true

Whether the flow allows for passive authentication

idp.authn.TOTP.forcedAuthenticationSupported

true

Whether the flow supports forced authentication

idp.authn.TOTP.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.TOTP.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.TOTP.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.TOTP.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.TOTP.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.TOTP.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.TOTP.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.TOTP.subjectDecorator


Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.TOTP.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.TOTP.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" />
	<bean parent="shibboleth.SAML1AuthenticationMethod"
		c:method="urn:oasis:names:tc:SAML:1.0:am:HardwareToken" />
</list>

In property form, this is expressed as:

Code Block
idp.authn.TOTP.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken, \
	saml1/urn:oasis:names:tc:SAML:1.0:am:HardwareToken

...