Current File(s): conf/authn/ipaddress-authn-config.xml
Format: Native Spring
Legacy V2 File(s): conf/handler.xml
Table of Contents |
---|
Overview
The authn/IPAddress login flow applies the user agent's address to a mapping of address range(s) to username(s) as a form of pseudo-authentication. This isn't the same as authorizing access to something by address, because a real user identity is produced as a result.
This flow is implemented as a "fall-through" so that under normal error conditions (no address available, no valid mapping), it passes control back to select another flow to run, so it can easily be combined with other methods. Of course, as shipped, the IdP will communicate that the form of authentication done was not based on a password.
General Configuration
Use conf/authn/ipaddress-authn-config.xml to configure this flow.
TheĀ shibboleth.authn.IPAddress.Mappings bean is the map between usernames and lists of CIDR address ranges. An IP CIDR Calculator may help in calculating the CIDR notation for an IP range. Note that en empty map, which is the default, essentially makes this flow non-operable in practice.
The following example maps only the IPv4 and IPv6 localhost addresses to the name "jdoe":
Code Block |
---|
<util:map id="shibboleth.authn.IPAddress.Mappings"> <entry key="jdoe"> <list> <value>127.0.0.1/32</value> <value>::1/128</value> </list> </entry> </util:map> |
The shibboleth.authn.IPAddress.Transforms bean allows for address transformations before comparing them to the address ranges, essentially a kind of on-the-fly address translation. A transform is a Pair object containing a regular expression and a replacement expression.
Reference
Beans
The beans defined in authn/ipaddress-authn-config.xml follow:
Bean ID | Type | Default | Function |
---|---|---|---|
shibboleth.authn.IPAddress.Mappings | Map<String,List<IPRange>> | Empty Map | The entry values are a list of CIDR address range strings to map to the username in the entry key |
shibboleth.authn.IPAddress.Transforms | List<Pair<String,String>> | Pairs of regular expressions and replacement expressions to apply to the username | |
shibboleth.authn.IPAddress.resultCachingPredicate | Predicate<ProfileRequestContext> | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | |
shibboleth.authn.IPAddress.addDefaultPrincipals 3.2 | Boolean | true | Whether to add the content of theĀ supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
V2 Compatibility
The authn/IPAddress login flow is the replacement for the 2.x IPAddress login handler. Configuration of address range mappings in handler.xml need to be ported into conf/authn/ipaddress-authn-config.xml.
Note that SAML 1 does not define an AuthenticationMethod constant for this kind of authentication, so only a SAML 2 AuthnContextClassRef is defined in conf/authn/general-authn.xml. An "unspecified" method constant will be used with SAML 1 unless configured otherwise.
Notes
TBD