The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Current File(s): conf/authn/jaas-authn-config.xml, conf/authn/jaas.config

Format: Native Spring, JAAS

Legacy V2 File(s): conf/handler.xml, conf/login.config


The JAAS (Java Authentication and Authorization Service) is a desktop authentication mechanism in Java that has been commonly misappropriated as a server-side technology. A variety of "login module" plugins exist for different password-based technologies. Support is provided for using JAAS as a back-end for the password authentication login flow.

General Configuration

Configuring JAAS as a back-end requires that the right import is active in authn/password-authn-config.xml:

Import in authn/password-authn-config.xml
<import resource="jaas-authn-config.xml" />

The other imports must be commented or removed.

A few beans are defined in authn/jaas-authn-config.xml to configure this back-end by identifying the JAAS configuration file and JAAS application name(s) to use.

A bean alias is also defined that instantiates the JAAS back-end action as the "ValidateUsernamePassword" step of the web flow. This must not be changed.

JAAS Configuration

JAAS has its own configuration format (see here). By default, the configuration used is called "ShibUserPassAuth". This can be changed using the shibboleth.authn.JAAS.LoginConfigNames, or turned into a list of more than one configuration, with each one tried in series until a success. This is equivalent to the JAAS keyword "sufficient". Using separate configurations allows errors to be isolated per-module instead of masked by generic JAAS exceptions.

Advanced JAAS Usage

As of V3.3, an advanced option exists, a Function bean called shibboleth.authn.JAAS.LoginConfigStrategy. This allows the set of JAAS configurations to be supplied at runtime. The signature of this function is fairly complex:

Signature of shibboleth.authn.JAAS.LoginConfigStrategy Function
Function<ProfileRequestContext, Collection<Pair<String,Collection<Principal>>>>

The result of the function is a collection of JAAS configuration names together with an optional collection of custom Principals to inject into the resulting Subject. This allows the result to be tailored based on which JAAS configuration actually succeeds, a common need when combining methods. Typically the function's job will be to test the acceptability of the various JAAS options against the incoming request to decide which ones should be tried.

When using this approach, the surrounding flow generally should carry all of the possible Principal types in its supportedPrincipals property and the automatic injection of all those Principals turned off by defining a bean like so:

<util:constant id="shibboleth.authn.Password.addDefaultPrincipals" static-field="java.lang.Boolean.FALSE" />



The beans defined in authn/jaas-authn-config.xml follow:

Bean ID
JAASConfigString%{idp.home}/conf/authn/jaas.configDefines a Spring Resource containing the JAAS config. Normally this just points to a file in the filesystem the URI object containing the JAAS configuration
shibboleth.authn.JAAS.LoginConfigNames       java,util.List<String>[ "ShibUserPassAuth" ]List of JAAS application configuration names to use
shibboleth.authn.JAAS.LoginConfigStrategy3.3Function For advanced use, you can inject a function to supply at runtime the collection of JAAS application configuration names to use, together with a mapping to any custom Principals to add into the result.

V2 Compatibility

JAAS configuration is independent of the IdP and is therefore identical with the use of JAAS in the V2 UsernamePassword handler. By default this configuration is placed in authn/jaas.config and the legacy-matching "ShibUserPassAuth" login configuration name is used (though this can be changed).

Unlike V2, the JAAS configuration is not placed into a global system property that would apply to the container as a whole; it is private to the IdP application.



  • No labels