Versions Compared

Old Version 12

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 13

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Retrieve and validate a subject's session, if any (if configured to do so), to establish any active flows.

  2. Filter potential/configured flows by any passive/forced requirements, as well as browser/non-browser compatibility, as required.

  3. Is specific custom Principal support requested or indicated as a default?

    1. If yes, choose the first potential flow compatible with the request and execute it (or if it's already active, reuse it). An option is provided to prioritize active results over inactive flows (it should be noted that this behavior is not SAML compliant).

    2. If no, check for a currently active result and reuse it. Otherwise select a potential flow and execute it.

  4. To reuse a result, its last activity time is updated and the result is recorded/copied to the AuthenticationContext. No "attempted flow" is recorded.

  5. To execute a flow:

    1. Record it as the attempted flow within the AuthenticationContext.

    2. Branch to it.

    3. On success:

      1. An AuthenticationResult is produced and set into the AuthenticationContext.

      2. A SubjectCanonicalizationContext is created containing the Subject from the AuthenticationResult, and control passes to a SubjectCanonicalization subflow. Failure here would lead to an overall failure of the authentication flow (as in d. below).

      3. If the identity has switched (as compared to the active session), any existing session is invalidated and the AuthenticationContext and SessionContext objects are cleaned up to reflect this.

      4. Assuming success, the canonical principal name is copied into the AuthenticationResult.

    4. On failure, return an error. This error may or may not eventually be sent back to the relying party, that's outside the scope of the authentication process.

  6. To complete the authentication process successfully, a SubjectContext is created around information copied from the AuthenticationContext.

  7. Optionally a session is created or updated with the modified or new AuthenticationResult to enable future SSO.

...

A login flow is a subflow that is assigned a flow ID that starts with "authn/" and is further defined to the system with a bean of type net.shibboleth.idp.authn.AuthenticationFlowDescriptor, generally by inheriting from shibboleth.AuthenticationFlow.

true
Localtabgroupexpand
Localtab live
titleV4.0

The bean must be added by the deployer to the list in conf/authn/general-authn.xml.

Note

While you may deliver a custom flow in a relatively "drop-in", self-contained jar, you MAY NOT manipulate the state of the IdP at runtime to install the necessary descriptor bean because it is impossible to guarantee that your modification will take place early enough to be seen by other objects in the system. There is no publically supported mechanism prior to V4.1 to extend any of the beans defined inside the "root" web app context, and so you MUST rely on the deployer making the necessary adjustments to define custom flows to the system via the associated type of FlowDescriptor.

Localtab live
active
Expand
titleV4.1+

Beans of this type are now auto-detected at startup and so do not require any special file or containing list to define them in, something that used to be required (see also the V4.0 tab). Simple defining a bean like so in conf/global.xml should work:

Code Block
    <bean p:id="authn/MyAuthn" parent="shibboleth.AuthenticationFlow"
            p:nonBrowserSupported="true"
            p:passiveAuthenticationSupported="true"
            p:forcedAuthenticationSupported="true"
            p:lifetime="%{idp.authn.defaultLifetime:PT1H}"
            p:inactivityTimeout="%{idp.authn.defaultTimeout:PT30M}" />

Be sure to use the p:id syntax for identifying the bean, as that is necessary for the auto-wiring to work properly. The example is obviously just that; specific settings will depend on the use case and the behavior of the mechanism. Correct IdP operation depends greatly on some of these flags being set to appropriate values.

...

Flows that need to populate specialized Java Principal types into their resulting Subject may do so but will also need to supply instructions on how to serialize the results into a String for preservation by the session layer.

true
Localtabgroupexpand
Localtab live
titleV4.0

The mechanism described in the V3 AuthenticationConfiguration page for registering custom serializers is supported but was discontinued in V4.1 in favor of a more plugin-friendly design.

Localtab live
active
Expand
titleV4.1+

Custom principal support in V4.1+ requires implementing the PrincipalService interface. Any bean declaration (e.g., in conf/global.xml) that supports this interface will be auto-registered with the system. In most simple cases, if your custom Principal is just a wrapper around a simple String, you can wire up this support as follows:

Code Block
    <bean p:id="myprincipal" class="net.shibboleth.idp.authn.principal.GenericPrincipalService"
            c:claz="org.example.MyPrincipal">
        <constructor-arg name="serializer">
            <bean class="net.shibboleth.idp.authn.principal.SimplePrincipalSerializer"
                c:claz="org.example.MyPrincipal" c:name="MY" />
        </constructor-arg>
    </bean>

For more complex data, more custom code may be needed in place of the simpler serializer, but the GenericPrincipalService class is usually sufficient to define it to the system.

...

The following events worthy of special note may occur as a result of invoking the subsystem:

proceed

Successful authentication.

RestartAuthentication

Authentication should be repeated from scratch (including creation of a new AuthenticationContext and related content).

NoPotentialFlow

No authentication flow is configured for use. This can also indicate that a request for passive authentication prevented use of all the possible flows.

RequestUnsupported

No flow or active result met the requirements of a RequestedPrincipalContext.

NoCredentials

A flow was unable to extract or obtain credentials from the subject.

InvalidCredentials

A flow was unable to successfully validate credentials from the subject. Often this event and the previous event may be isolated within a flow because the subject is expected to keep trying, but there may be retry limits or other factors that will expose this condition.

SubjectCanonicalizationError

The Subject resulting from authentication couldn't be turned into a canonical principal name.

Various other events signifying more low-level error conditions may also occur.

...