...
If the flow believes that it's done this successfully, it records that fact so that if it runs again it simply skips these steps. If it detects a failure, it leaves any remaining work undone and redisplays the form, and the log should usually indicate what didn't work. This is not meant as a fancy GUI for remote use without access to the server and the logs.
Localtabgroup | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
To get this working, the flow has to be defined and enabled in conf/admin/general-admin.xml, and some Spring beans defined to describe to the flow what it needs to unlock. Enable the FlowThe following is added to (or uncommented in) the shibboleth.AvailableAdminFlows list bean:
The last couple of settings are deployment-specific. This example presumes that the rule for accessing the flow is that the user must login first, and that a map entry will be defined in conf/access-control.xml keyed under "AccessByAdminUser" that defines which usernames can access the flow. The access control features are described under AccessControlConfiguration. There's total flexibility on this, it's up to you to define the rules. You can even set bean properties that typically are used in relying-party.xml like
To get this working, the module must be enabled (as mentioned above) and some Spring beans defined to describe to the flow what it needs to unlock. Controlling Access to the FlowThere are properties in conf/admin/admin.properties that will control the use of authentication and the access control rule applied to the flow. These are deployment-specific, but the defaults assume that the rule for accessing the flow is that the user must login first but grants no access. The idp.unlock.accessPolicy property can be set to "AccessByAdminUser" and a map entry defined in conf/access-control.xml keyed under "AccessByAdminUser" that defines which usernames can access the flow. These access control features are described under AccessControlConfiguration. You can even set bean properties that typically are used in relying-party.xml like If you want to customize this flow via XML or wish to apply settings not supported by properties, you can override the flow descriptor by creating your own bean (see the Flow Descriptor example in the Reference below. With this in place, you can add other properties to the bean (such as |
Configuring the Flow
The system reserves the file conf/admin/unlock-keys.xml for defining the beans necessary for the flow to run.
...
The template also illustrates a useful idea of embedding a SSO push link that can be used at the end to verify that the unlocked IdP works correctly (though you'd have to look at the log to know for certain the secret key is working).
Reference
Localtabgroup | ||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
The general properties configuring this flow via admin/admin.properties are:
| id | FDXML
-live | ||
---|---|---|
|
To replace the internally defined flow descriptor bean, the following XML is required:
Code Block | ||
---|---|---|
| ||
<util:list id="shibboleth.AvailableAdminFlows">
<bean parent="shibboleth.OneTimeAdminFlow"
c:id="http://shibboleth.net/ns/profiles/unlock-keys"
p:loggingId="%{idp.unlock-keys.logging:UnlockKeys}"
p:policyName="%{idp.unlock-keys.accessPolicy:AccessDenied}"
p:nonBrowserSupported="%{idp.unlock-keys.nonBrowserSupported:false}"
p:authenticated="%{idp.unlock-keys.authenticated:true}"
p:resolveAttributes="%{idp.unlock-keys.resolveAttributes:false}" />
</util:list> |
In older versions and upgraded systems, this list is defined in conf/admin/general-admin.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.
Example
In a typical example, the following assumes you want to unlock both the system-supplied secret keystore and the default signing key:
...