Versions Compared

Old Version 31

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with
.\plugin.sh -I net.shibboleth.idp.plugin.authn.totp

Plugin ID

Module(s)

Authentication Flow ID

Latest Version

Bug Reporting

net.shibboleth.idp.plugin.authn.totp

idp.authn.TOTP

authn/TOTP

1.0.1: download

https://shibboleth.atlassian.net/browse/JTOTP

Include Page
PluginInstallation
PluginInstallation

...

Installing/enabling this module will only populate a few files:

File

Description

views/totp.vm

View template for dedicated prompt for token code

views/totp-error.vm

View template for reporting errors with code validation

bin/totp.sh

Shell script for testing token code validation

bin/totp.bat

Batch script for testing token code validation

Other than the user interface, which is fairly self-explanatory, the only configuration required is to define how to resolve token seeds to use while validating a particular subject's token codes. This is assumed to be the Attribute Resolver in most "real" cases, but it's also possible to define some static tokens for testing in a Spring configuration file (e.g., conf/global.xml).

...

Expand
titleBeans

The following beans exist or may be defined to customize the flow. They may be placed in conf/global.xml or another imported location.

Name / Type

Default

Description

shibboleth.authn.TOTP.SeedSource

Consumer<ProfileRequestContext>

Use of Attribute Resolver

Overrides the component that populates seeds for a user into the context tree for validation of codes

shibboleth.authn.TOTP.Authenticator

net.shibboleth.idp.plugin.authn.totp.impl.TOTPAuthenticator

Google library-based implementation

Overrides the component that does validation of token codes

shibboleth.authn.TOTP.AccountLockoutManager

AccountLockoutManager


A lockout manager that, if defined, will enable account lockout feature

shibboleth.authn.TOTP.ClassifiedMessageMap

Map<String,List<String>>

Built-in component

A map between defined error/warning conditions and events and implementation-specific message fragments to map to them.

shibboleth.authn.TOTP.Validator

CredentialValidator

Built-in component

Override of the core component that validates token codes

shibboleth.authn.DuoTOTP.UsernameLookupStrategy

Function<ProfileRequestContext,String>

CanonicalUsernameLookupStrategy

Optional bean to supply username

shibboleth.authn.TOTP.resultCachingPredicate

Predicate<ProfileRequestContext>


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

Expand
titleFlow Descriptor XML

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/TOTP" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.TOTP.order:1000}"
            p:nonBrowserSupported="%{idp.authn.TOTP.nonBrowserSupported:true}"
            p:passiveAuthenticationSupported="%{idp.authn.TOTP.passiveAuthenticationSupported:true}"
            p:forcedAuthenticationSupported="%{idp.authn.TOTP.forcedAuthenticationSupported:true}"
            p:proxyRestrictionsEnforced="%{idp.authn.TOTP.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.TOTP.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.TOTP.discoveryRequired:false}"
            p:lifetime="%{idp.authn.TOTP.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.TOTP.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.TOTP.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.TOTP.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:subjectDecorator-ref="#{getObject('%{idp.authn.TOTP.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.TOTP.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...