<!-- This integration is for local use. -->
<bean id="DuoLocal" classparent="net.shibboleth.idp.authn.duoDuo.BasicDuoIntegrationDuoIntegration"
p:APIHost="%{idp.duo.apiHost}"
p:applicationKey="%{idp.duo.applicationKey}"
p:integrationKey="%{idp.duo.integrationKey}"
p:secretKey="%{idp.duo.secretKey}">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://example.org/ac/classes/mfa" />
</list>
</property>
</bean>
<!-- This integration supports either local or REFEDS use. -->
<bean id="DuoREFEDS" classparent="net.shibboleth.idp.authn.duoDuo.BasicDuoIntegrationDuoIntegration"
p:APIHost="%{idp.duo.apiHost.refeds}"
p:applicationKey="%{idp.duo.applicationKey.refeds}"
p:integrationKey="%{idp.duo.integrationKey.refeds}"
p:secretKey="%{idp.duo.secretKey.refeds}">
<property name="supportedPrincipals">
<list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="http://example.org/ac/classes/mfa" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="https://refeds.org/profile/mfa" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="https://refeds.org/profile/mfa" />
</list>
</property>
</bean>
<!-- Order matters here; we want the most lenient integration first. -->
<util:list id="DuoIntegrationList">
<ref bean="DuoDefault" />
<ref bean="DuoREFEDS" />
</util:list>
<!-- This simple function just iterates over each integration until it finds an acceptable one. -->
<bean id="shibboleth.authn.Duo.DuoIntegrationStrategy" parent="shibboleth.ContextFunctions.Scripted"
factory-method="inlineScript"
p:customObject-ref="DuoIntegrationList">
<constructor-arg name="scriptSource">
<value>
<![CDATA[
duo = null;
authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
iter = custom.iterator();
while (duo == null && iter.hasNext()) {
duo = iter.next();
if (!authCtx.isAcceptable(duo)) {
duo = null;
}
}
duo;
]]>
</value>
</constructor-arg>
</bean>
|