Versions Compared

Old Version 20

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 21

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.X509 || bin\module.bat -e idp.authn.X509
 
(Other)
$ bin/module.sh -t idp.authn.X509 || bin/module.sh -e idp.authn.X509

General Configuration

Localtabgroupexpand
Localtab live
titleV4.0

Use conf/authn/x509-authn-config.xml to configure this flow.

The shibboleth.authn.X509.externalAuthnPath bean is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at /Authn/X509). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the External flow is likely a better choice to use.

Localtab live
activetrue
Expand
titleV4.1+

Most of the usual options are available via authn/authn.properties, and some more advanced cases will require defining/adjusting bean definitions in authn/x509-authn-config.xml.

The idp.authn.X509.externalAuthnPath property is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at /Authn/X509). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the External flow is likely a better choice to use.

...

As always, if editing web.xml, make sure to copy it to edit-webapp/WEB-INF first and make any changes to that copy.

Reference

localtab-live
Localtabgroup
Expand
titleBeans (V4.0)

The beans defined, or expected to be defined, in authn/x509-authn-config.xml follow:

Bean ID / Type

Default

Description

shibboleth.authn.X509.externalAuthnPath

String

contextRelative:x509-prompt.jsp

Spring Web Flow redirection expression for the protected resource

shibboleth.authn.X509.externalAuthnPathStrategy

Function<ProfileRequestContext,String>

A constant function returning the bean value above.

A function that returns the redirection expression to use for the protected resource

shibboleth.authn.X509.ClassifiedMessageMap

Map<String,List<String>>

(see file)

A map between defined error/warning conditions and events and implementation-specific message fragments to map to them.

shibboleth.authn.X509.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

shibboleth.authn.X509.addDefaultPrincipals

Boolean

true

Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject

localtab-live
Expand
titleBeans (V4.1+)

The beans defined, or expected to be defined, in authn/x509-authn-config.xml follow:

Bean ID / Type

Default

Description

shibboleth.authn.X509.externalAuthnPathStrategy

Function<ProfileRequestContext,String>

A constant function returning the bean value above.

A function that returns the redirection expression to use for the protected resource

shibboleth.authn.X509.ClassifiedMessageMap

Map<String,List<String>>

(see file)

A map between defined error/warning conditions and events and implementation-specific message fragments to map to them.

shibboleth.authn.X509.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

Localtab live
activetrue
Expand
titleProperties (V4.1+)

The flow-specific properties usable via authn/authn.properties are:

Name

Default

Description

idp.authn.X509.externalAuthnPath

contextRelative:x509-prompt.jsp

Spring Web Flow redirection expression for the protected resource

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.X509.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.X509.nonBrowserSupported

false

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.X509.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.X509.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.X509.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.X509.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.X509.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.X509.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.X509.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.X509.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.X509.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.X509.subjectDecorator

Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.X509.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.X509.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:ietf:rfc:2246" />
</list>

In property form, this is expressed as (note the trailing commas):

Code Block
idp.authn.X509.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
    saml1/urn:ietf:rfc:2246
localtab-live
Expand
titleFlow Descriptor XML (V4.1+)

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/X509" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.X509.order:1000}"
            p:nonBrowserSupported="%{idp.authn.X509.nonBrowserSupported:false}"
            p:passiveAuthenticationSupported="%{idp.authn.X509.passiveAuthenticationSupported:false}"
            p:forcedAuthenticationSupported="%{idp.authn.X509.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.X509.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.X509.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.X509.discoveryRequired:false}"
            p:lifetime="%{idp.authn.X509.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.X509.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.X509.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.X509.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:subjectDecorator-ref="#{getObject('%{idp.authn.X509.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.X509.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...