Versions Compared

Old Version 251

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 252

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleBeans (Non-Browser Auth API)

These beans refer to the Duo Auth API (non-OIDC) which supports non-browser flows.

Bean ID / Type

Default

Description

shibboleth.authn.DuoOIDC.NonBrowser.DuoIntegration

DuoIntegration

Derived from properties in conf/authn/duo-oidc.properties

Defines a single/static Duo AuthAPI integration for non-browser support

shibboleth.authn.DuoOIDC.NonBrowser.DuoIntegrationStrategy

Function<ProfileRequestContext,DuoIntegration>


Optional bean to supply the Duo AuthAPI integration settings dynamically

shibboleth.authn.DuoOIDC.NonBrowser.HttpClient

HttpClient

Internal/default HttpClient instance

Overrides the HttpClient implementation and settings to use for the AuthAPI (see HttpClientConfiguration)

shibboleth.authn.DuoOIDC.NonBrowser.HttpClientSecurityParameters

HttpClientSecurityParameters


Custom security settings for the AuthAPI calls (see HttpClientConfiguration)

Expand
titleProperties (DuoOIDC-Specific)

The DuoOIDC-specific properties defined in conf/authn/duo-oidc.properties follow:

Name

Default

Description

idp.duo.oidc.apiHost

DuoOIDC API hostname assigned to the integration

idp.duo.oidc.clientId

The OAuth 2.0 Client Identifier valid at the Authorization Server

idp.duo.oidc.redirectURL

Redirection URI to which the 2FA response will be sent

idp.duo.oidc.redirecturl.allowedOrigins


If the idp.duo.oidc.redirectURL is not set, one will be computed dynamically and checked against this list of allowed origins - to prevent Http Host Header injection.

idp.duo.oidc.secretKey


The client secret used to verify the client in exchanging the authorization code for a Duo 2FA result token (id_token).

idp.duo.oidc.endpoint.health

/oauth/v1/health_check

Duo's OAuth 2.0 health check endpoint

idp.duo.oidc.endpoint.token

/oauth/v1/token

Duo's OAuth 2.0 token endpoint

idp.duo.oidc.endpoint.authorize

/oauth/v1/authorize

Duo's OAuth 2.0 authorization endpoint

idp.duo.oidc.jwt.verifier.clockSkew

PT60S

Leeway allowed in token expiry calculations

idp.duo.oidc.jwt.verifier.iatWindow

PT60S

Maximum amount (in either direction from now) of duration for which a token is valid after it is issued

idp.duo.oidc.jwt.verifier.issuerPath

/oauth/v1/token

The path component of the Duo token issuer. The full issuer string takes the format: HTTPS://<idp.duo.oidc.apiHost>+<idp.duo.oidc.jwt.verifier.issuerPath>

idp.duo.oidc.jwt.verifier.preferredUsername

preferred_username

The result token JWT claim name that represents the username sent in the duo_uname field in the authorization request.

idp.duo.oidc.jwt.verifier.authLifetime

PT60S

How long the authentication is valid. Only applies to forced authentication requests.

The properties below are used when enabling non-browser / AuthAPI support:

idp.duo.oidc.nonbrowser.apiHost

${idp.duo.oidc.apiHost}

Duo AuthAPI hostname assigned to the integration

idp.duo.oidc.nonbrowser.integrationKey

Duo AuthAPI integration key (supplied by Duo)

idp.duo.oidc.nonbrowser.secretKey

Duo AuthAPI secret key (supplied by Duo)

idp.duo.oidc.nonbrowser.header.factor

X-Shibboleth-Duo-Factor

Name of HTTP request header for Duo AuthAPI factor

idp.duo.oidc.nonbrowser.header.device

X-Shibboleth-Duo-Device

Name of HTTP request header for Duo AuthAPI device ID or name

idp.duo.oidc.nonbrowser.header.passcode

X-Shibboleth-Duo-Passcode

Name of HTTP request header for Duo AuthAPI passcode

idp.duo.oidc.nonbrowser.auto

true

Allow the factor to be defaulted in as "auto" if no headers are received

idp.duo.oidc.nonbrowser.clientAddressTrusted

true

Pass client address to Duo in API calls to support logging, push display, and network-based Duo policies

Expand
titleProperties (Nimbus)

The below table are properties that only apply to the Shibboleth Nimbus plugin:

Name

Default

Description

idp.duo.oidc.connectionTimeout

defaults to the global HttpClient options in services.properties (PT1M)

Maximum length of time to wait for the connection to be established

idp.duo.oidc.connectionRequestTimeout

defaults to the global HttpClient options in services.properties (PT1M)

Maximum length of time to wait for a connection to be returned from the connection manager

idp.duo.oidc.socketTimeout

defaults to the global HttpClient options in services.properties (PT1M)

Maximum period inactivity between two consecutive data packets

idp.duo.oidc.maxConnectionsTotal

defaults to the global HttpClient options in services.properties (100)

Max total simultaneous connections allowed by the pooling connection manager

idp.duo.oidc.maxConnectionsPerRoute

defaults to the global HttpClient options in services.properties (100)

Max simultaneous connections per route allowed by the pooling connection manager

idp.duo.oidc.nimbus.checkRevocation

false

To enable certificate revocation checking. See Certificate Revocation Checking

Expand
titleProperties (General)

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.DuoOIDC.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.DuoOIDC.nonBrowserSupported

false

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.DuoOIDC.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.DuoOIDC.forcedAuthenticationSupported

true

Whether the flow supports forced authentication

idp.authn.DuoOIDC.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.DuoOIDC.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.DuoOIDC.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.DuoOIDC.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.DuoOIDC.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.DuoOIDC.reuseCondition

shibboleth.Conditions.TRUE

Bean ID ofPredicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.DuoOIDC.activationCondition

shibboleth.Conditions.TRUE

Bean ID ofPredicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.DuoOIDC.subjectDecorator


Bean ID ofBiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.DuoOIDC.supportedPrincipals

(see below)

Comma-delimited list of protocol-specificPrincipalstrings associated with flow

idp.authn.DuoOIDC.addDefaultPrincipals

false

Whether to auto-attach the preceding set ofPrincipalobjects to eachSubjectproduced by this flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML: 

Code Block
languagexml
<list>
  <bean parent="shibboleth.SAML2AuthnContextClassRef"c:classRef="http://example.org/ac/classes/mfa" />
  <bean parent="shibboleth.SAML1AuthenticationMethod"c:method="http://example.org/ac/classes/mfa" />
</list>

In property form, this is expressed as:

idp.authn.DuoOIDC.supportedPrincipals = saml2/http://example.org/ac/classes/mfa, saml1/http://example.org/ac/classes/mfa

However, this default is (obviously) intended purely as an illustrative example of how to define your own values, as there are no standard ones to use.

...