...
Info |
---|
Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with
.\plugin.sh -I net.shibboleth.idp.plugin.authn.totp |
Plugin ID | Module(s) | Authentication Flow ID |
---|
Latest Version | Bug Reporting |
---|
net.shibboleth.idp.plugin.authn.totp | idp.authn.TOTP | authn/TOTP |
1.0.1: download | Include Page |
---|
| PluginInstallation |
---|
| PluginInstallation |
---|
|
...
Installing/enabling this module will only populate a few files:
File | Description |
---|
views/totp.vm | View template for dedicated prompt for token code |
views/totp-error.vm | View template for reporting errors with code validation |
bin/totp.sh | Shell script for testing token code validation |
bin/totp.bat | Batch script for testing token code validation |
Other than the user interface, which is fairly self-explanatory, the only configuration required is to define how to resolve token seeds to use while validating a particular subject's token codes. This is assumed to be the Attribute Resolver in most "real" cases, but it's also possible to define some static tokens for testing in a Spring configuration file (e.g., conf/global.xml).
...
Expand |
---|
|
The following beans exist or may be defined to customize the flow. They may be placed in conf/global.xml or another imported location. Name / Type | Default | Description |
---|
shibboleth.authn.TOTP.SeedSource Consumer<ProfileRequestContext> | Use of Attribute Resolver | Overrides the component that populates seeds for a user into the context tree for validation of codes | shibboleth.authn.TOTP.Authenticator net.shibboleth.idp.plugin.authn.totp.impl.TOTPAuthenticator | Google library-based implementation | Overrides the component that does validation of token codes | shibboleth.authn.TOTP.AccountLockoutManager AccountLockoutManager |
| A lockout manager that, if defined, will enable account lockout feature | shibboleth.authn.TOTP.ClassifiedMessageMap Map<String,List<String>> | Built-in component | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. | shibboleth.authn.TOTP.Validator CredentialValidator | Built-in component | Override of the core component that validates token codes | shibboleth.authn.DuoTOTP.UsernameLookupStrategy Function<ProfileRequestContext,String> | CanonicalUsernameLookupStrategy | Optional bean to supply username | shibboleth.authn.TOTP.resultCachingPredicate Predicate<ProfileRequestContext> |
| An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
|
Expand |
---|
|
To replace the internally defined flow descriptor bean, the following XML is required: Code Block |
---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/TOTP" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.TOTP.order:1000}"
p:nonBrowserSupported="%{idp.authn.TOTP.nonBrowserSupported:true}"
p:passiveAuthenticationSupported="%{idp.authn.TOTP.passiveAuthenticationSupported:true}"
p:forcedAuthenticationSupported="%{idp.authn.TOTP.forcedAuthenticationSupported:true}"
p:proxyRestrictionsEnforced="%{idp.authn.TOTP.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.TOTP.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.TOTP.discoveryRequired:false}"
p:lifetime="%{idp.authn.TOTP.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.TOTP.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.TOTP.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.TOTP.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.TOTP.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.TOTP.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...