The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Current File(s): conf/authn/password-authn-config.xml, conf/authn/jaas-authn-config.xml (V4.0), conf/authn/authn.properties (V4.1+), conf/authn/jaas.config

Format: Native Spring, Properties, JAAS

Overview

The JAAS (Java Authentication and Authorization Service) is a desktop authentication mechanism in Java that has been commonly misappropriated as a server-side technology. A variety of "login module" plugins exist for different password-based technologies. Support is provided for using JAAS as a CredentialValidator for the password authentication login flow.

In V3, JAAS was the primary mechanism for supporting chains of back-end systems in combination with each other. V4 now supports this directly, though in some cases JAAS may still be simpler to configure and certainly remains supported.

A particular advantage of the V4 alternative approach is that the native Kerberos feature is more secure than the Java-supplied JAAS alternative, so deployments combining the JAAS Kerberos module with other back-ends should seriously consider migrating away from that approach.

General Configuration

JAAS Configuration

Simple JAAS Usage

JAAS has its own configuration format (see here). By default, the named application configuration used is called "ShibUserPassAuth". This can be changed using the shibboleth.authn.JAAS.LoginConfigNames bean (V4.0) or the idp.authn.JAAS.loginConfigNames property (V4.1+), or turned into a list of more than one configuration, with each one tried in series until a success. This is equivalent to the JAAS keyword "sufficient".

Using separate configurations allows errors to be isolated per-module instead of masked by generic JAAS exceptions, but again, this is now a feature natively supported by the IdP independently of JAAS.

Advanced JAAS Usage

More advanced options exist to:

  • supply the JAAS configuration name(s) dynamically using a function

  • associate particular JAAS configuration(s) with a set of custom Principal objects to attach to the authentication result

For the former, a Function bean named shibboleth.authn.JAAS.LoginConfigStrategy is reserved. This allows the set of JAAS configurations to be supplied at runtime. The signature of this function is fairly complex:

Signature of shibboleth.authn.JAAS.LoginConfigStrategy Function
Function<ProfileRequestContext, Collection<Pair<String,Subject>>>

The result of the function is a collection of JAAS configuration names together with an optional collection of custom Principal objects (wrapped in a Java Subject) to inject into the Subject produced by the login flow. This allows the result to be tailored based on which JAAS configuration actually succeeds, a common need when combining methods.

If the information the function would return is static, a bean named shibboleth.authn.JAAS.LoginConfigurations can be defined.

Reference



  • No labels