Versions Compared

Old Version 18

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 19

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t RemoteUserInternal || bin\module.bat -e RemoteUserInternal
 
(Other)
$ bin/module.sh -t RemoteUserInternal || bin/module.sh -e RemoteUserInternal

General Configuration

Localtabgroupexpand
Localtab live
titleV4.0

Use authn/remoteuser-internal-authn-config.xml to configure this flow. Various beans are defined to control how the user identity is extracted from the HTTP request, various transforms to perform on the resulting name prior to final evaluation, and rules for evaluating the name, such as allow/deny lists, or a matching expression. Simple echoing of the extracted REMOTE_USER value requires no changes. See the reference below for a complete list.

Localtab live
activetrue
Expand
titleV4.1+

Simple echoing of the extracted REMOTE_USER value requires no special settings. Other simple options are available using authn/authn.properties, and some more advanced cases will require defining/adjusting bean definitions in authn/remoteuser-internal-authn-config.xml

Reference

localtab-live
Localtabgroup
Expand
titleBeans (V4.0)

The following beans are defined, or expected to be defined in, authn/remoteuser-internal-authn-config.xml:

Bean ID

Type

Default

Description

shibboleth.authn.RemoteUser.checkRemoteUser

Boolean

true

Whether to check REMOTE_USER for a username

shibboleth.authn.RemoteUser.checkAttributes

List<String>


A list of servlet request attributes to check for a username

shibboleth.authn.RemoteUser.checkHeaders

List<String>


A list of request headers to check for a username

shibboleth.authn.RemoteUser.Lowercase

Boolean

false

Whether to lowercase the username

shibboleth.authn.RemoteUser.Uppercase

Boolean

false

Whether to uppercase the username

shibboleth.authn.RemoteUser.Trim

Boolean

true

Whether to trim leading and trailing whitespace from the username

shibboleth.authn.RemoteUser.Transforms

List<Pair<String,String>>


Pairs of regular expressions and replacement expressions to apply to the username

shibboleth.authn.RemoteUser.whitelistedUsernames

List<String>


A list of usernames to accept (blocking all others)

shibboleth.authn.RemoteUser.blacklistedUsernames

List<String>


A list of usernames to reject (accepting all others)

shibboleth.authn.RemoteUser.matchExpression

Pattern


A regular expression that must match the username

shibboleth.authn.RemoteUser.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

shibboleth.authn.RemoteUser.addDefaultPrincipals

Boolean

true

Whether to add the content of theĀ supportedPrincipals property of the underlying flow descriptor to the resulting Subject

localtab-live
Expand
titleBeans (V4.1+)

The following beans are defined, or expected to be defined in, authn/remoteuser-internal-authn-config.xml:

Bean ID

Type

Description

shibboleth.authn.RemoteUser.Transforms

List<Pair<String,String>>

Pairs of regular expressions and replacement expressions to apply to the username

shibboleth.authn.RemoteUser.resultCachingPredicate

Predicate<ProfileRequestContext>

An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

Localtab live
activetrue
Expand
titleProperties (V4.1+)

The flow-specific properties usable via authn/authn.properties are:

Name

Default

Description

idp.authn.RemoteUserInternal.checkRemoteUser

true

Whether to check REMOTE_USER for a username

idp.authn.RemoteUserInternal.checkAttributes

Comma-delimited lists of request attributes to check for a username

idp.authn.RemoteUserInternal.checkHeaders

Comma-delimited list of request headers to check for a username

idp.authn.RemoteUserInternal.trim

true

Whether to trim leading and trailing whitespace from the username before validating it

idp.authn.RemoteUserInternal.lowercase

false

Whether to lowercase the username before validating it

idp.authn.RemoteUserInternal.uppercase

false

Whether to uppercase the username before validating it

idp.authn.RemoteUserInternal.matchExpression

A regular expression that must match the username

idp.authn.RemoteUserInternal.allowedUsernames

Comma-delimited list of usernames to accept (blocking all others)

idp.authn.RemoteUserInternal.deniedUsernames

Comma-delimited list of usernames to deny (accepting all others)

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.RemoteUserInternal.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.RemoteUserInternal.nonBrowserSupported

true

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.RemoteUserInternal.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.RemoteUserInternal.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.RemoteUserInternal.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.RemoteUserInternal.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.RemoteUserInternal.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.RemoteUserInternal.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.RemoteUserInternal.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.RemoteUserInternal.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.RemoteUserInternal.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.RemoteUserInternal.subjectDecorator

Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.RemoteUserInternal.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.RemoteUserInternal.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>

In property form, this is expressed as (note especially the trailing commas, which MUST be there):

Code Block
idp.authn.RemoteUserInternal.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password
localtab-live
Expand
titleFlow Descriptor XML (V4.1+)

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.RemoteUserInternal.order:1000}"
            p:nonBrowserSupported="%{idp.authn.RemoteUserInternal.nonBrowserSupported:true}"
            p:passiveAuthenticationSupported="%{idp.authn.RemoteUserInternal.passiveAuthenticationSupported:false}"
            p:forcedAuthenticationSupported="%{idp.authn.RemoteUserInternal.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.RemoteUserInternal.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.RemoteUserInternal.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.RemoteUserInternal.discoveryRequired:false}"
            p:lifetime="%{idp.authn.RemoteUserInternal.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.RemoteUserInternal.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.RemoteUserInternal.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.RemoteUserInternal.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:subjectDecorator-ref="#{getObject('%{idp.authn.RemoteUserInternal.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.RemoteUserInternal.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...