Because there are a variety of different login methods, most of the actual configuration is documented in the relevant topics covering those methods, but there are a few general properties used, and a larger set of properties that control the management of sessions, which are of course related to authentication. The most important property to note is the idp.authn.flows property. This is a regular expression that identifies the login flows to enable. The expression applies only to the suffix of each flow ID (omitting the authn/ prefix), and the simplest way to express this is with a pipe (|) separated list of the flow names, e.g., flow1|flow2|flow3 Note that this property defaults to "Password" simply to ensure the system can minimally operate out of the box and because that's the most common method. Property | Type | Default | Function |
|---|
idp.authn.flows | Regular Expression | Password | Regular expression that identifies the login flows to globally enable | idp.authn.defaultLifetime | Duration | PT60M | Default amount of time to allow reuse prior authentication flows, measured since first usage | idp.authn.defaultTimeout | Duration | PT30M | Default inactivity timeout to prevent reuse of prior authentication flows, measured since last usage | idp.authn.proxyRestrictionsEnforced | Boolean | true | Whether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication | idp.authn.favorSSO | Boolean | false | Whether to prioritize prior authentication results when an SP requests more than one possible matching method | idp.authn.rpui
| Boolean | true | Whether to populate information about the relying party into the tree for user interfaces during login and interceptors | idp.authn.identitySwitchIsError | Boolean | false | Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session | idp.authn.discoveryURL | String |
| Provides a static discovery URL to use for external discovery; this property replaces the need for the XML-defined bean used in V4.0 for this purpose | idp.authn.overrideRequestedAuthnContext | Boolean | false | Whether to override an explicit <RequestedAuthnContext> element in an SP’s request with a configuration-imposed rule via the defaultAuthenticationMethods profile configuration setting. Note this is a violation of the SAML standard and is also a global setting applying to all SPs that may have such a profile configuration set. | idp.authn.usernameCookieName 5.1 | String | | If set, enables support for caching of a username after successful login in certain cases in an encrypted cookie (using the name provided). Of the built-in login methods, only the Password flow supports this. | idp.authn.usernamePrecedence 5.1 | Comma-delimited list | “form“,
”session”,
”coookie” | List of “sources” for username recovery for form population, supports “form”, “session”, and “cookie”, defaulting to that order |
|