...
The ExternalAuthentication class makes up the interface between the external code and the IdP. The general flow is:
Call ExternalAuthentication.startExternalAuthentication(HttpServletRequest), saving off the result as a key.
Do work as necessary (reading request details from the attributes below). Any redirects must preserve the key value returned in step 1 because it must be used to complete the login later.
Set request attributes to communicate the result of the login back.
Call ExternalAuthentication.finishExternalAuthentication(String, HttpServletRequest, HttpServletResponse). The first parameter is the key returned in step 1.
Example JSP implementations are below.
...
Note that returning a Subject is often paired with setting the shibboleth.authn.External.addDefaultPrincipals bean (V4.0) or idp.authn.External.addDefaultPrincipals property (V4.1+) to false, to dynamically establish Principal(s) representing the authentication method used without having them overwritten.
For example, your External flow's supportedPrincipals
property might be defined to include both password and multi-factor authentication Principals (meaning it supports both methods), but you can return the specific method used at runtime in the Subject. For SAML 2.0, this is typically done (programmatically) by using the net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal class with the appropriate value from the standard or a deployment. Other classes in that package address SAML 1.1 and unusual SAML 2.0 use cases. For the built-in constants defined by the standard, there are Java constants available via org.opensaml.saml.saml2.core.AuthnContext.
Reference
Expand |
---|
|
The beans defined, or expected to be defined, in authn/external-authn-config.xml follow: Bean ID / Type | Default | Description |
---|
shibboleth.authn.External.externalAuthnPath String | contextRelative:external.jsp | Spring Web Flow redirection expression for the protected resource | shibboleth.authn.External.externalAuthnPathStrategy Function<ProfileRequestContext,String> | | Optional function that returns the redirection expression to use for the protected resource | shibboleth.authn.External.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. | shibboleth.authn.External.resultCachingPredicate Predicate<ProfileRequestContext> | | Optional bean that can be defined to control whether to preserve the authentication result in an IdP session | shibboleth.authn.External.addDefaultPrincipals Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject | shibboleth.authn.External.matchExpression Pattern | | Regular expression to match username against |
|
...
Expand |
---|
title | Flow Descriptor XML (V4.1+) |
---|
|
To replace the internally defined flow descriptor bean, the following XML is required: Code Block |
---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/External" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.External.order:1000}"
p:nonBrowserSupported="%{idp.authn.External.nonBrowserSupported:false}"
p:passiveAuthenticationSupported="%{idp.authn.External.passiveAuthenticationSupported:false}"
p:forcedAuthenticationSupported="%{idp.authn.External.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.External.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.External.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.External.discoveryRequired:false}"
p:lifetime="%{idp.authn.External.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.External.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.External.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.External.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.External.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.External.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...