Versions Compared

Version Old Version 6 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

As a caution, if you add a custom flow or make use of one of the technology-independent flows in a way that is not password-based, don't forget to override the corresponding supportedPrincipals property, or you will create problems for any SPs that are attempting to request stronger authentication methods. It's very easy to accidentally "lie" to the world by misconfiguring the IdP, because the software can't read your mind to understand your intentions, and it only knows what you tell it. A complete more detailed explanation of how the selection process works is here.

...

Expand
titleProperties

Because there are a variety of different login methods, most of the actual configuration is documented in the relevant topics covering those methods, but there are a few general properties used, and a larger set of properties that control the management of sessions, which are of course related to authentication.

The most important property to note is the idp.authn.flows property. This is a regular expression that identifies the login flows to enable. The expression applies only to the suffix of each flow ID (omitting the authn/ prefix), and the simplest way to express this is with a pipe (|) separated list of the flow names, e.g., flow1|flow2|flow3

Note that this property defaults to "Password" simply to ensure the system can minimally operate out of the box and because that's the most common method.

Property

Type

Default

Function

idp.authn.flows

Regular Expression

Password

Regular expression that identifies the login flows to globally enable

idp.authn.defaultLifetime

Duration

PT60M

Default amount of time to allow reuse prior authentication flows, measured since first usage

idp.authn.defaultTimeout

Duration

PT30M

Default inactivity timeout to prevent reuse of prior authentication flows, measured since last usage

idp.authn.proxyRestrictionsEnforced

Boolean

true

Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication

idp.authn.favorSSO

Boolean

false

Whether to prioritize prior authentication results when an SP requests more than one possible matching method

idp.authn.rpui

Boolean

true

Whether to populate information about the relying party into the tree for user interfaces during login and interceptors

idp.authn.identitySwitchIsError                

Boolean

false

Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session

idp.authn.discoveryURL

String


Provides a static discovery URL to use for external discovery; this property replaces the need for the XML-defined bean used in V4.0 for this purpose

idp.authn.overrideRequestedAuthnContext

Boolean

false

Whether to override an explicit <RequestedAuthnContext> element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global setting applying to all SPs that may have such a profile configuration set.

idp.authn.usernameCookieName 5.1

String

If set, enables support for caching of a username after successful login in certain cases in an encrypted cookie (using the name provided). Of the built-in login methods, only the Password flow supports this.

idp.authn.usernamePrecedence 5.1

Comma-delimited list

“form“,
”session”,
”coookie”

List of “sources” for username recovery for form population, supports “form”, “session”, and “cookie”, defaulting to that order

Expand
titleBeans (General)

Beans related to general authentication configuration follow:

Bean ID

Type

Function

shibboleth.AvailableAuthenticationFlows

List<AuthenticationFlowDescriptor>

List of descriptors enumerating the supported authentication flows that can be used. (You may need to create this bean if you wish to extend/alter the system-defined beans, but this is very unusual.)

shibboleth.AuthenticationPrincipalWeightMap

Map<Principal,Integer>

Map of weights to assign to particular custom Principal objects so that flows can pick an appropriate default Principal to associate with their result (see comment in file for more detail)

shibboleth.AuthenticationFlow

AuthenticationFlowDescriptor

Parent bean for defining new flow descriptors, generally only needed by extension developers or those wishing to override the system-defined XML

shibboleth.SAML2AuthnContextClassRef

AuthnContextClassRefPrincipal

Parent bean for attaching SAML 2.0 AuthnContextClassRef constants to flows

shibboleth.SAML2AuthnContextDeclRef

AuthnContextDeclRefPrincipal

Parent bean for attaching SAML 2.0 AuthnContextDeclRef constants to flows

shibboleth.SAML1AuthenticationMethod

AuthenticationMethodPrincipal

Parent bean for attaching SAML 1.1 AuthenticationMethod constants to flows

shibboleth.FixedAuthenticationEventStrategy

Function<ProfileRequestContext,String>

Function for producing a Spring WebFlow Event to signal from login flow validation actions to artifically test error or warning customizations.

Expand
titleBeans (IdP Discovery)

The following beans are used to configure IdP Discovery when proxying.

Bean ID

Type

Function

shibboleth.authn.discoveryURLStrategy

Function<ProfileRequestContext,String>

Function to apply to produce a Discovery Service URL to use instead of relying on a property for a static value

shibboleth.authn.discoveryRequestFunction

BiFunction<
RequestContext,
ProfileRequestContext,
String
>

BiFunction that overrides the built-in mechanism that generates the redirect to the Discovery Service with a deployer-supplied version

shibboleth.authn.entityIDForDiscoveryStrategy 5.1

Function<ProfileRequestContext,String>

Function to produce the entityID to use in the request to the DS in the event a default determination is not sufficient

Expand
titleBeans (Flow Selection)

The following beans are used to configure comparison rules for custom Principals to support rules for login flow selection when requests specify particular methods, as described in AuthenticationFlowSelection. It is quite rare to need to modify them.

Bean ID

Type

Function

shibboleth.AuthnComparisonRules

Map used as constructor argument to PrincipalEvalPredicateFactoryRegistry

Map of comparison rules

shibboleth.SAMLAuthnMethodExact
shibboleth.SAMLACClassRefExact
shibboleth.SAMLACDeclRefExact

shibboleth.SAMLACClassRefMinimum
shibboleth.SAMLACDeclRefMinimum
shibboleth.SAMLACClassRefMaximum

shibboleth.SAMLACDeclRefMaximum
shibboleth.SAMLACClassRefBetter
shibboleth.SAMLACDeclRefBetter

Pair<Class<? extends Principal>, String>

Pairs of custom Principal types and matching operators for all the SAML 1.1 and 2.0 principal and comparison types supported, used as keys for the shibboleth.AuthnComparisonRules map

shibboleth.ExactMatchFactory
shibboleth.InexactMatchFactory

PrincipalEvalPredicateFactory

Template beans for values of the shibboleth.AuthnComparisonRules map

shibboleth.BetterClassRefMatchFactory
shibboleth.MinimumClassRefMatchFactory
shibboleth.MaximumClassRefMatchFactory

shibboleth.BetterDeclRefMatchFactory
shibboleth.MinimumDeclRefMatchFactory
shibboleth.MaximumDeclRefMatchFactory

PrincipalEvalPredicateFactory

Beans supplying matching rules for implementing SAML 2.0 "inexact" comparisons of AuthnContextClassRef or AuthnContextDeclRef constants

shibboleth.IgnoredContexts

Collection<String>

A collection of SAML 2.0 AuthnContextClassRef or AuthnContextDeclRef values to ignore if found in an <AuthnRequest> message

shibboleth.PrincipalProxyRequestMappings

Map<Principal,Collection<Principal>>

Mapping rules for transforming values in requests into new values in proxied requests

shibboleth.PrincipalProxyResponseMappings

Map<Principal,Collection<Principal>>

Mapping rules for transforming values in proxied responses into new values

...