...
Code Block |
---|
(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.Function || bin\module.bat -e idp.authn.Function
(Other)
$ bin/module.sh -t idp.authn.Function || bin/module.sh -e idp.authn.Function |
General Configuration
Localtabgroup |
localtab-live Expand |
---|
|
Use authn/function-authn-config.xml to configure this flow. Localtab live |
---|
|
active | true |
---|
Expand |
---|
|
Most of the flow configuration is in authn/function-authn-config.xml but some generic settings applicable to all login flows are in authn/authn.properties. |
...
Since a common use case is to be able to read and write cookies, note that there's already a component that handles this called a CookieManager. There are built-in objects of this type that will reuse standard properties controlling cookie domain, path, flags, etc. and that's usually the best way to do things. Simply inject an instance of shibboleth.CookieManager or shibboleth.PersistentCookieManager into a Java-based Function implementation, or as a customObject-ref property of a bean inheriting from shibboleth.ContextFunctions.Scripted or shibboleth.ContextFunctions.Expression, to use it to read and write cookies for you.
Reference
Localtabgroup |
localtab-live Expand |
---|
|
The beans defined, or expected to be defined, in authn/function-authn-config.xml are: Bean ID / Type | Default | Function |
---|
shibboleth.authn.Function.resultLookupStrategy Function<ProfileRequestContext,Object> | | A function to produce the authentication result (see above) | shibboleth.authn.Function.resultCachingPredicate Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | shibboleth.authn.Function.addDefaultPrincipals Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
Localtab live |
---|
|
active | true |
---|
Expand |
---|
|
The beans defined, or expected to be defined, in authn/function-authn-config.xml are: Default | Function |
---|
shibboleth.authn.Function.resultLookupStrategy Function<ProfileRequestContext,Object> | A function to produce the authentication result (see above) | shibboleth.authn.Function.resultCachingPredicate Predicate<ProfileRequestContext> | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
localtab-live |
Expand |
---|
|
The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
---|
idp.authn.Function.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.Function.nonBrowserSupported | true | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.Function.passiveAuthenticationSupported | true | Whether the flow allows for passive authentication | idp.authn.Function.forcedAuthenticationSupported | false | Whether the flow supports forced authentication | idp.authn.Function.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.Function.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.Function.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.Function.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | idp.authn.Function.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | idp.authn.Function.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.Function.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.Function.subjectDecorator | | Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.Function.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.Function.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML: Code Block |
---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list> |
In property form, this is expressed as (note especially the trailing commas, which MUST be there): Code Block |
---|
idp.authn.Function.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password | localtab-live |
Expand |
---|
title | Flow Descriptor XML (V4.1+) |
---|
|
To replace the internally defined flow descriptor bean, the following XML is required: Code Block |
---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/Function" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.Function.order:1000}"
p:nonBrowserSupported="%{idp.authn.Function.nonBrowserSupported:true}"
p:passiveAuthenticationSupported="%{idp.authn.Function.passiveAuthenticationSupported:true}"
p:forcedAuthenticationSupported="%{idp.authn.Function.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.Function.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.Function.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.Function.discoveryRequired:false}"
p:lifetime="%{idp.authn.Function.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.Function.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.Function.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.Function.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.Function.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.Function.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...