Versions Compared

Version Old Version 5 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleProperties

The general properties configuring this flow via authn/authn.properties are:

Name

Default

Description

idp.authn.IPAddress.order

1000

Flow priority relative to other enabled login flows (lower is "higher" in priority)

idp.authn.IPAddress.nonBrowserSupported

true

Whether the flow should handle non-browser request profiles (e.g., ECP)

idp.authn.IPAddress.passiveAuthenticationSupported

true

Whether the flow allows for passive authentication

idp.authn.IPAddress.forcedAuthenticationSupported

false

Whether the flow supports forced authentication

idp.authn.IPAddress.proxyRestrictionsEnforced

%{idp.authn.enforceProxyRestrictions:true}

Whether the flow enforces upstream IdP-imposed restrictions on proxying

idp.authn.IPAddress.proxyScopingEnforced

false

Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying

idp.authn.IPAddress.discoveryRequired

false

Whether to invoke IdP-discovery prior to running flow

idp.authn.IPAddress.lifetime

%{idp.authn.defaultLifetime:PT60S}

Lifetime of results produced by this flow

idp.authn.IPAddress.inactivityTimeout

%{idp.authn.defaultTimeout:PT60S}

Inactivity timeout of results produced by this flow

idp.authn.IPAddress.lifetimeStrategy 5.2

Function returning null

Bean ID of Function<ProfileRequestContext,Duration> overriding a specific result’s lifetime

idp.authn.IPAddress.inactivityTimeoutStrategy 5.2

Function returning null

Bean ID of Function<ProfileRequestContext,Duration> overriding a specific result’s inactivity timeout

idp.authn.IPAddress.reuseCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO

idp.authn.IPAddress.activationCondition

shibboleth.Conditions.TRUE

Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request

idp.authn.IPAddress.subjectDecorator

Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization

idp.authn.IPAddress.supportedPrincipals

(see below)

Comma-delimited list of protocol-specific Principal strings associated with flow

idp.authn.IPAddress.addDefaultPrincipals

true

Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

idp.authn.IPAddress.c14n.flows 5.2

Comma-delimited list of c14n methods (beans) to run after use of this login flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML:

Code Block
languagexml
<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
</list>

In property form, this is expressed as:

Code Block
idp.authn.IPAddress.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol

SAML 1 does not define an AuthenticationMethod constant for this kind of authentication, so only a SAML 2 AuthnContextClassRef is applied. An "unspecified" method constant will be used with SAML 1 unless otherwise configured.

Expand
titleFlow Descriptor XML

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
<util:list id="shibboleth.AvailableAuthenticationFlows">
 
    <bean p:id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
            p:order="%{idp.authn.IPAddress.order:1000}"
            p:nonBrowserSupported="%{idp.authn.IPAddress.nonBrowserSupported:true}"
            p:passiveAuthenticationSupported="%{idp.authn.IPAddress.passiveAuthenticationSupported:true}"
            p:forcedAuthenticationSupported="%{idp.authn.IPAddress.forcedAuthenticationSupported:false}"
            p:proxyRestrictionsEnforced="%{idp.authn.IPAddress.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
            p:proxyScopingEnforced="%{idp.authn.IPAddress.proxyScopingEnforced:false}"
            p:discoveryRequired="%{idp.authn.IPAddress.discoveryRequired:false}"
            p:lifetime="%{idp.authn.IPAddress.lifetime:PT60S}"
            p:inactivityTimeout="%{idp.authn.IPAddress.inactivityTimeout:PT60S}"
            p:reuseCondition-ref="#{'%{idp.authn.IPAddress.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:activationCondition-ref="#{'%{idp.authn.IPAddress.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
            p:resultLifetimeLookupStrategy-ref="#{'%{idp.authn.IPAddress.lifetimeStrategy:NullDurationLookupStrategy}'.trim()}"
            p:resultTimeoutLookupStrategy-ref="#{'%{idp.authn.IPAddress.inactivityTimeoutStrategy:NullDurationLookupStrategy}'.trim()}"
            p:subjectDecorator="#{getObject('%{idp.authn.IPAddress.subjectDecorator:}'.trim())}">
        <property name="supportedPrincipalsByString">
            <bean parent="shibboleth.CommaDelimStringArray"
                c:_0="#{'%{idp.authn.IPAddress.supportedPrincipals:}'.trim()}" />
        </property>
    </bean>
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V5, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

...