...
Code Block |
---|
(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.X509 || bin\module.bat -e idp.authn.X509
(Other)
$ bin/module.sh -t idp.authn.X509 || bin/module.sh -e idp.authn.X509 |
General Configuration
Localtabgroupexpand |
---|
Localtab live |
---|
|
Use conf/authn/x509-authn-config.xml to configure this flow. The shibboleth.authn.X509.externalAuthnPath bean is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at /Authn/X509). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the External flow is likely a better choice to use. Localtab live |
---|
|
active | true |
---|
Expand |
---|
|
Most of the usual options are available via authn/authn.properties, and some more advanced cases will require defining/adjusting bean definitions in authn/x509-authn-config.xml. The idp.authn.X509.externalAuthnPath property is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at /Authn/X509). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the External flow is likely a better choice to use. |
...
As always, if editing web.xml, make sure to copy it to edit-webapp/WEB-INF first and make any changes to that copy.
Reference
Localtabgroup |
localtab-live Expand |
---|
|
The beans defined, or expected to be defined, in authn/x509-authn-config.xml follow: Bean ID / Type | Default | Description |
---|
shibboleth.authn.X509.externalAuthnPath String | contextRelative:x509-prompt.jsp | Spring Web Flow redirection expression for the protected resource | shibboleth.authn.X509.externalAuthnPathStrategy Function<ProfileRequestContext,String> | A constant function returning the bean value above. | A function that returns the redirection expression to use for the protected resource | shibboleth.authn.X509.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. | shibboleth.authn.X509.resultCachingPredicate Predicate<ProfileRequestContext> |
| An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | shibboleth.authn.X509.addDefaultPrincipals Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
localtab-live |
Expand |
---|
|
The beans defined, or expected to be defined, in authn/x509-authn-config.xml follow: Bean ID / Type | Default | Description |
---|
shibboleth.authn.X509.externalAuthnPathStrategy Function<ProfileRequestContext,String> | A constant function returning the bean value above. | A function that returns the redirection expression to use for the protected resource | shibboleth.authn.X509.ClassifiedMessageMap Map<String,List<String>> | (see file) | A map between defined error/warning conditions and events and implementation-specific message fragments to map to them. | shibboleth.authn.X509.resultCachingPredicate Predicate<ProfileRequestContext> |
| An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
Localtab live |
---|
|
active | true |
---|
Expand |
---|
|
The flow-specific properties usable via authn/authn.properties are: Name | Default | Description |
---|
idp.authn.X509.externalAuthnPath | contextRelative:x509-prompt.jsp | Spring Web Flow redirection expression for the protected resource |
The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
---|
idp.authn.X509.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.X509.nonBrowserSupported | false | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.X509.passiveAuthenticationSupported | false | Whether the flow allows for passive authentication | idp.authn.X509.forcedAuthenticationSupported | false | Whether the flow supports forced authentication | idp.authn.X509.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.X509.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.X509.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.X509.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | idp.authn.X509.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | idp.authn.X509.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.X509.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.X509.subjectDecorator | | Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.X509.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.X509.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
As a non-password based flow, the supportedPrincipals property defaults to the following XML: Code Block |
---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:ietf:rfc:2246" />
</list> |
In property form, this is expressed as (note the trailing commas): Code Block |
---|
idp.authn.X509.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
saml1/urn:ietf:rfc:2246 | localtab-live |
Expand |
---|
title | Flow Descriptor XML (V4.1+) |
---|
|
To replace the internally defined flow descriptor bean, the following XML is required: Code Block |
---|
| <util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/X509" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.X509.order:1000}"
p:nonBrowserSupported="%{idp.authn.X509.nonBrowserSupported:false}"
p:passiveAuthenticationSupported="%{idp.authn.X509.passiveAuthenticationSupported:false}"
p:forcedAuthenticationSupported="%{idp.authn.X509.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.X509.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.X509.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.X509.discoveryRequired:false}"
p:lifetime="%{idp.authn.X509.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.X509.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.X509.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.X509.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.X509.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.X509.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...