The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Current File(s): conf/authn/ipaddress-authn-config.xml, conf/authn/authn.properties (V4.1+)
Format: Native Spring, Properties (V4.1+)

Overview

The authn/IPAddress login flow applies the user agent's address to a mapping of address range(s) to username(s) as a form of pseudo-authentication. This isn't the same as authorizing access to something by address, because a real user identity is produced as a result.

This flow is implemented as a "fall-through" so that under normal error conditions (no address available, no valid mapping), it passes control back to select another flow to run, so it can easily be combined with other methods. Of course, as shipped, the IdP will communicate that the form of authentication done was not based on a password.

Enabling Module (V4.1+)

For V4.1+, configuring and using this feature requires that you first enable the "idp.authn.IPAddress" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.

(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.IPAddress || bin\module.bat -e idp.authn.IPAddress
 
(Other)
$ bin/module.sh -t idp.authn.IPAddress || bin/module.sh -e idp.authn.IPAddress

General Configuration

Use conf/authn/ipaddress-authn-config.xml to configure this flow.

TheĀ shibboleth.authn.IPAddress.Mappings bean is the map between usernames and lists of CIDR address ranges. An IP CIDR Calculator may help in calculating the CIDR notation for an IP range. Note that en empty map, which is the default, essentially makes this flow non-operable in practice.

The following example maps only the IPv4 and IPv6 localhost addresses to the name "jdoe":

    <util:map id="shibboleth.authn.IPAddress.Mappings">
        <entry key="jdoe">
            <list>
                <value>127.0.0.1/32</value>
                <value>::1/128</value>
            </list>
        </entry>
    </util:map>

The shibboleth.authn.IPAddress.Transforms bean allows for address transformations before comparing them to the address ranges, essentially a kind of on-the-fly address translation. A transform is a Pair object containing a regular expression and a replacement expression.

Reference

  • No labels