...
| Code Block |
|---|
(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.RemoteUser || bin\module.bat -e idp.authn.RemoteUser
(Other)
$ bin/module.sh -t idp.authn.RemoteUser || bin/module.sh -e idp.authn.RemoteUser |
General Configuration
| Localtabgroupexpand |
|---|
| Localtab live |
|---|
|
Use authn/remoteuser-authn-config.xml and/or edit-webapp/WEB-INF/web.xml to configure this flow. TheĀ shibboleth.authn.RemoteUser.externalAuthnPath bean defines the flow redirection path to the resource that's used to pick up the container-established identity, by default a context-relative location. It can be modified if needed. | Localtab live |
|---|
|
| active | true |
|---|
| Expand |
|---|
|
Use authn/authn.properties, authn/remoteuser-authn-config.xml and/or edit-webapp/WEB-INF/web.xml to configure this flow. The idp.authn.RemoteUser.externalAuthnPath property defines the flow redirection path to the resource that's used to pick up the container-established identity, by default a context-relative location. It can be modified if needed. |
...
If you need something different from this, your best option is to use the External login flow and possibly adapt the existing servlet as an example to copy from for your own purposes. In all respects, this flow is simply a more concrete use of the External flow.
Reference
| Localtabgroup |
|---|
localtab-live| Expand |
|---|
|
The beans defined in, or expected to be in, authn/remoteuser-authn-config.xml follow: Bean ID / Type | Default | Description |
|---|
shibboleth.authn.RemoteUser.externalAuthnPath String | contextRelative:Authn/RemoteUser | Spring Web Flow redirection expression for the protected resource | shibboleth.authn.RemoteUser.externalAuthnPathStrategy Function<ProfileRequestContext,String> | A constant function returning the bean value above. | A function that returns the redirection expression to use for the protected resource. | shibboleth.authn.RemoteUser.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. | shibboleth.authn.RemoteUser.resultCachingPredicate Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | shibboleth.authn.RemoteUser.addDefaultPrincipals Boolean | true | Whether to add the content of theĀ supportedPrincipals property of the underlying flow descriptor to the resulting Subject | shibboleth.authn.RemoteUser.matchExpression Pattern | | Regular expression to match username against |
|
| Expand |
|---|
|
The beans defined in, or expected to be in, authn/remoteuser-authn-config.xml follow: Bean ID / Type | Default | Description |
|---|
shibboleth.authn.RemoteUser.externalAuthnPathStrategy Function<ProfileRequestContext,String> | A constant function returning the bean value above. | A function that returns the redirection expression to use for the protected resource. | shibboleth.authn.RemoteUser.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. | shibboleth.authn.RemoteUser.resultCachingPredicate Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
| Localtab live |
|---|
|
| active | true |
|---|
| Expand |
|---|
|
The flow-specific properties usable via authn/authn.properties are: Name | Default | Description |
|---|
idp.authn.RemoteUser.externalAuthnPath | contextRelative:Authn/RemoteUser | Spring Web Flow redirection expression for the protected resource | idp.authn.RemoteUser.matchExpression | | Regular expression to match username against |
The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
|---|
idp.authn.RemoteUser.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.RemoteUser.nonBrowserSupported | false | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.RemoteUser.passiveAuthenticationSupported | false | Whether the flow allows for passive authentication | idp.authn.RemoteUser.forcedAuthenticationSupported | false | Whether the flow supports forced authentication | idp.authn.RemoteUser.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.RemoteUser.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.RemoteUser.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.RemoteUser.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | idp.authn.RemoteUser.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | idp.authn.RemoteUser.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.RemoteUser.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.RemoteUser.subjectDecorator | | Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.RemoteUser.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.RemoteUser.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML: | Code Block |
|---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list> |
In property form, this is expressed as (note especially the trailing commas, which MUST be there): | Code Block |
|---|
idp.authn.RemoteUser.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password |
localtab-live |
| Expand |
|---|
| title | Flow Descriptor XML (V4.1+) |
|---|
|
To replace the internally defined flow descriptor bean, the following XML is required: | Code Block |
|---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.RemoteUser.order:1000}"
p:nonBrowserSupported="%{idp.authn.RemoteUser.nonBrowserSupported:false}"
p:passiveAuthenticationSupported="%{idp.authn.RemoteUser.passiveAuthenticationSupported:false}"
p:forcedAuthenticationSupported="%{idp.authn.RemoteUser.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.RemoteUser.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.RemoteUser.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.RemoteUser.discoveryRequired:false}"
p:lifetime="%{idp.authn.RemoteUser.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.RemoteUser.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.RemoteUser.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.RemoteUser.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.RemoteUser.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.RemoteUser.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...