Versions Compared

Version Old Version 14 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleProperties

The flow-specific properties usable via authn/authn.properties are:

Name

Default

Description

idp.authn.External.externalAuthnPath

contextRelative:external.jsp

Spring Web Flow redirection expression for the protected resource

idp.authn.External.matchExpression

Regular expression to match username against

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.External.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.External.nonBrowserSupported

false

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.External.passiveAuthenticationSupported

false

Whether the flow allows for passive authentication

idp.authn.External.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.External.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.External.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.External.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.External.lifetime

%{idp.authn.defaultLifetime:PT1H}

Lifetime of results produced by this flow

idp.authn.External.inactivityTimeout

%{idp.authn.defaultTimeout:PT30M}

Inactivity timeout of results produced by this flow

idp.authn.External.lifetimeStrategy 5.2

Function returning null

Bean ID of Function<ProfileRequestContext,Duration> overriding a specific result’s lifetime

idp.authn.External.inactivityTimeoutStrategy 5.2

Function returning null

Bean ID of Function<ProfileRequestContext,Duration> overriding a specific result’s inactivity timeout

idp.authn.External.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.External.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.External.subjectDecorator


Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.External.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.External.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

idp.authn.External.c14n.flows 5.2

Comma-delimited list of c14n methods (beans) to run after use of this login flow

Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list>

In property form, this is expressed as (note especially the trailing commas, which MUST be there):

Code Block
idp.authn.External.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password
Expand
titleFlow Descriptor XML

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/External" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.External.order:1000}"
            p:nonBrowserSupported="%{idp.authn.External.nonBrowserSupported:false}"
            p:passiveAuthenticationSupported="%{idp.authn.External.passiveAuthenticationSupported:false}"
            p:forcedAuthenticationSupported="%{idp.authn.External.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.External.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.External.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.External.discoveryRequired:false}"
            p:lifetime="%{idp.authn.External.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
            p:inactivityTimeout="%{idp.authn.External.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
            p:reuseCondition-ref="#{'%{idp.authn.External.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.External.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:resultLifetimeLookupStrategy-ref="#{'%{idp.authn.External.lifetimeStrategy:NullDurationLookupStrategy}'.trim()}"
            p:resultTimeoutLookupStrategy-ref="#{'%{idp.authn.External.inactivityTimeoutStrategy:NullDurationLookupStrategy}'.trim()}"
            p:subjectDecorator="#{getObject('%{idp.authn.External.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.External.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V5, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...