Bean ID / Type | Default | Description |
|---|
shibboleth.authn.DuoOIDC.DuoIntegration DuoOIDCIntegration | Derived from properties in conf/authn/duo-oidc.properties | Defines a single/static Duo OIDC Integration with Duo, you can override this bean to supply a non-property-configured alternative |
shibboleth.authn.DuoOIDC.DuoIntegrationStrategy Function<ProfileRequestContext,DuoOIDCIntegration> |
| Optional bean to supply the Duo OIDC integration settings dynamically |
shibboleth.authn.DuoOIDC.UsernameLookupStrategy Function<ProfileRequestContext,String> | CanonicalUsernameLookupStrategy | Optional bean to supply username |
shibboleth.authn.DuoOIDC.resultCachingPredicate Predicate<ProfileRequestContext> | shibboleth.Conditions.TRUE | Bean ID controlling whether to preserve the authentication result in an IdP session |
shibboleth.authn.DuoOIDC.CleanUpHook Consumer<ProfileRequestContext> | Bean that removes the DuoOIDAuthenticationContext from the tree | A cleanup hook that is executed on successful authentication. |
shibboleth.authn.DuoOIDC.jwt.claims.CleanUpHook Consumer<ProfileRequestContext> | Bean that removes the nonce value from the DuoOIDAuthenticationContext | A cleanup hook to execute after either successful or unsuccessful claims validation |
shibboleth.authn.DuoOIDC.DuoTokenClaimsVerifier JWTClaimsValidation | DefaultDuoTokenClaimsVerifier Claims verification in accordance with the Duo specification. Also OIDC compliant for the special Duo id_token case. | Duo result token (OIDC id_token) claims verifier using a 'chain' of ClaimsValidators e.g. audience, issuer, expiration checks etc. You can either replace the claims validator completely, change some of the behavior of existing validators individually, or add to a new validation check using a custom BiFunction, see shibboleth.authn.DuoOIDC.ExtendedClaimsValidator. |
shibboleth.authn.DuoOIDC.jwt.IssuerLookupStrategy BiFunction<ProfileRequestContext, JWTClaimsSet, String> | Combines the HTTPS scheme, with the Duo API Hostname, and the Duo token IssuerPath. | Lookup strategy that returns the OIDC issuer. An issuer contains the scheme, host, and optionally, port and path components that identify the id_token issuer. |
shibboleth.authn.DuoOIDC.jwt.AudienceLookupStrategy BiFunction<ProfileRequestContext,JWTClaimsSet, String> | The clientID of the Duo Integration pertaining to the request. | Lookup the client_id for the Relying Party. |
shibboleth.authn.DuoOIDC.jwt.UsernameLookupStrategy BiFunction<ProfileRequestContext,JWTClaimsSet, String> | The authenticating principal's username from the context pertaining to the request. | Lookup the authenticating principal's username to match Duo's preferred_username field in the id_token. |
shibboleth.authn.DuoOIDC.jwt.AuthTimeActivationCondition BiPredicate<ProfileRequestContext,JWTClaimsSet> | Returns true if forced authentication has been requested by the Relying Party. | Should the auth_time field be validated for the given request? |
shibboleth.authn.DuoOIDC.jwt.NonceLookupStrategy BiFunction<ProfileRequestContext,JWTClaimsSet, String> | The nonce that was used in the authorization request and stored in the Duo authentication context. | Lookup the nonce that was used in the authorization request and should be present in the id_token. |
shibboleth.authn.DuoOIDC.jwt.NonceActivationCondition BiPredicate<ProfileRequestContext,JWTClaimsSet> | Returns true iff the id_token contains a nonce. | Should we validate the nonce value in the id_token? |
shibboleth.authn.DuoOIDC.RequiredOIDCClaims Set<String> | Used by the DefaultDuoTokenClaimsVerifier above. Defaults to those claims required by the OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) | The names of the claims required to be present in the Duo result token (OIDC id_token). |
shibboleth.authn.DuoOIDC.ContextToPrincipalMappingStrategy Function<ProfileRequestContext,Collection<Principal>> |
| Map information in the ProfileRequestContext, most likely in the Duo result id_token, to a collection of Principals the execution of the flow supports. See this advanced topic. |
shibboleth.authn.DuoOIDC.ExtendedClaimsValidator BiFunction<JWTClaimsSet,ProfileRequestContext,JWTValidationException> |
| Optional BiFunction extension point for custom claims validation of the Duo token |
shibboleth.authn.DuoOIDC.PreDuoPopulateAuditExtractors 1.3.0 Map<String,Function<ProfileRequestContext,Object>> | | List Map of Pre-Duo 2FA redirect audit extractors that take the profile request context ProfileRequestContext and return an object (likely usually a String) to append to the log statement. |
shibboleth.authn.DuoOIDC.PostDuoPopulateAuditExtractors 1.3.0 Map<String,Function<ProfileRequestContext,Object>> | | List Map of Post-Duo 2FA audit extractors that take the profile request context ProfileRequestContext and return an object (likely usually a String) to append to the log statement. |
shibboleth.authn.DuoOIDC.AuditFormattingMap 1.3.0(only) Map<String, String> | | Map of logging categories to audit formatting strings for Duo 2FA audit logging |