...
This particular use of subject canonicalization (or c14n) is referred to as post-login c14n and the input is an instance of a Java Subject, which is a fairly open-ended object that can contain any number of custom Principal objects and collections of public and/or private credentials. The IdP generally doesn't make much use of the credential collections, but does populate the Principal collection and uses that heavily.
...
Lastly, V4.1 and above include another hook that can be used to plug in Java code to perform customization of the Java Subject by a flow before the c14n step occurs. The advantage of this hook is that it's easier to write that bit of Java code and have it produce, for example, a UsernamePrincipal, than to create a new c14n flow from scratch. This hook is usable by defining a bean with the signature BiConsumer<ProfileRequestContext,Subject>, and identifying it in conf/authn/authn.properties with a property of the form idp.authn.<flow>.subjectDecorator
...
Expand |
---|
|
Beans related to general authentication configuration follow: Bean ID | Type | Function |
---|
shibboleth.AvailableAuthenticationFlows | List<AuthenticationFlowDescriptor> | List of descriptors enumerating the supported authentication flows that can be used (supplanted in V4.1 through autowiring of AuthenticationFlowDescriptor beans, but you may need to create this bean if you wish to extend/alter the system-defined beans) | shibboleth.AuthenticationPrincipalWeightMap | Map<Principal,Integer> | Map of weights to assign to particular custom Principal objects so that flows can pick an appropriate default Principal to associate with their result (see comment in file for more detail) | shibboleth.AuthenticationFlow | AuthenticationFlowDescriptor | Parent bean for defining new flow descriptors, generally only needed by extension developers or those wishing to override the system-defined XML | shibboleth.SAML2AuthnContextClassRef | AuthnContextClassRefPrincipal | Parent bean for attaching SAML 2.0 AuthnContextClassRef constants to flows | shibboleth.SAML2AuthnContextDeclRef | AuthnContextDeclRefPrincipal | Parent bean for attaching SAML 2.0 AuthnContextDeclRef constants to flows | shibboleth.SAML1AuthenticationMethod | AuthenticationMethodPrincipal | Parent bean for attaching SAML 1.1 AuthenticationMethod constants to flows | shibboleth.FixedAuthenticationEventStrategy | Function<ProfileRequestContext,String> | Function for producing a Spring WebFlow Event to signal from login flow validation actions to artifically test error or warning customizations. |
|
Expand |
---|
title | Beans (IdP Discovery) |
---|
|
The following beans are used to configure IdP Discovery when proxying. Bean ID | Type | Function |
---|
shibboleth.authn.discoveryURL | String | An explicit Discovery Service URL (supplanted in V4.1 by the idp.authn.discoveryURL property) | shibboleth.authn.discoveryURLStrategy | Function<ProfileRequestContext,String> | A function to apply to produce the Discovery Service URL |
|
Expand |
---|
title | Beans (Flow Selection) |
---|
|
The following beans are used to configure comparison rules for custom Principals to support rules for login flow selection when requests specify particular methods, as described in AuthenticationFlowSelection. Bean ID | Type | Function |
---|
shibboleth.AuthnComparisonRules | Map used as constructor argument to PrincipalEvalPredicateFactoryRegistry | Map of comparison rules | shibboleth.SAMLAuthnMethodExact shibboleth.SAMLACClassRefExact shibboleth.SAMLACDeclRefExact shibboleth.SAMLACClassRefMinimum shibboleth.SAMLACDeclRefMinimum shibboleth.SAMLACClassRefMaximum shibboleth.SAMLACDeclRefMaximum shibboleth.SAMLACClassRefBetter shibboleth.SAMLACDeclRefBetter | Pair<Class<? extends Principal>, String> | Pairs of custom Principal types and matching operators for all the SAML 1.1 and 2.0 principal and comparison types supported, used as keys for the shibboleth.AuthnComparisonRules map | shibboleth.ExactMatchFactory shibboleth.InexactMatchFactory | PrincipalEvalPredicateFactory | Template beans for values of the shibboleth.AuthnComparisonRules map | shibboleth.BetterClassRefMatchFactory shibboleth.MinimumClassRefMatchFactory shibboleth.MaximumClassRefMatchFactory shibboleth.BetterDeclRefMatchFactory shibboleth.MinimumDeclRefMatchFactory shibboleth.MaximumDeclRefMatchFactory | PrincipalEvalPredicateFactory | Beans supplying matching rules for implementing SAML 2.0 "inexact" comparisons of AuthnContextClassRef or AuthnContextDeclRef constants | shibboleth.IgnoredContexts
| Collection<String> | A collection of SAML 2.0 AuthnContextClassRef or AuthnContextDeclRef values to ignore if found in an <AuthnRequest> message | shibboleth.PrincipalProxyRequestMappings | Map<Principal,Collection<Principal>> | Mapping rules for transforming values in requests into new values in proxied requests | shibboleth.PrincipalProxyResponseMappings | Map<Principal,Collection<Principal>> | Mapping rules for transforming values in proxied responses into new values |
|
...