The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Current File(s): conf/authn/x509-authn-config.xml, (edit-)webapp/WEB-INF/web.xml, (edit-)webapp/x509-prompt.jsp, authn/authn.properties (V4.1+)
Format: Native Spring, Properties (V4.1+)

Overview

The authn/X509 login flow leverages any surrounding mechanism you have available for TLS client certificate authentication, provided the standard servlet request attribute ("javax.servlet.request.X509Certificate") is populated. By default, this flow is configured without support for advanced authentication controls like passive or forced authentication since this is not generally possible with client certificate authentication.

The result of this flow is a Java Subject containing an X500Principal derived from the subject of the certificate, and the certificate is optionally added as a public credential of the Subject. Note that no actual "username" is produced; rather, a suitable post-login Subject Canonicalization flow must be enabled/configured to pull a suitable principal name out of the Subject.

This flow is implemented as a special case of the External flow that happens to use a supplied servlet to implement the External contract that supports extraction of the certificate from the request. Rather than customizing this flow, use the External flow directly to do more advanced things.

Note that if you have a web server that is configured to perform the certificate evaluation for you and populate a header or variable with the "username" to use based on the certificate, you almost certainly will want to use the RemoteUser flow instead. This flow pulls in the certificate as the primary result of the authentication and relies on downstream logic (often the x500 subject c14n flow) to get a username out of it.

Enabling Module (V4.1+)

For V4.1+, configuring and using this feature requires that you first enable the "idp.authn.X509" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.

(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.X509 || bin\module.bat -e idp.authn.X509
 
(Other)
$ bin/module.sh -t idp.authn.X509 || bin/module.sh -e idp.authn.X509

General Configuration

You can make the location dynamic via a bean of type Function<ProfileRequestContext,String> named shibboleth.authn.X509.externalAuthnPathStrategy

The shibboleth.authn.X509.ClassifiedMessageMap bean is a map of error messages to classified error conditions that isn't generally used with this handler because it usually won't return with any contextual details, but there is a default mapping supplied that signals fall-through to other login flows if no certificate is found or the certificate fails optional validation. This is done by remapping those specific error events into a "ReselectFlow" event.

The servlet that implements the authentication for this flow is configured by webapp/WEB-INF/web.xml and can be given a "trustEngine" context parameter that identifies a Spring bean ID of an OpenSAML TrustEngine that should be used to validate the client certificate chain. The best spot to define such a bean is usually conf/global.xml, as it needs to be in the root Spring context for the servlet to access it. Of course, it's often simpler and more common to do this validation using the web server itself, although that's less flexible.

An example of a PKIX-based TrustEngine declaration follows. The bean ID would need to be supplied in web.xml as the "trustEngine" context paramater to the servlet.

global.xml
<bean id="my.X509AuthnTrustEngine" parent="shibboleth.StaticPKIXTrustEngine"
	p:certificates="%{idp.home}/credentials/rootca.pem"
	p:checkNames="false"
	p:verifyDepth="1" />

The servlet also supports a boolean parameter, "saveCertificateToCredentialSet", which can be set to false to prevent the preservation of the certificate in the resulting credentials to save space if it won't be used.

As always, if editing web.xml, make sure to copy it to edit-webapp/WEB-INF first and make any changes to that copy.

Reference

Notes

Note that this flow is configured by default without support for non-browser profiles (namely ECP) because the X509Internal flow is a better choice when a browser isn't required. It eliminates the extra redirects (and the optional HTML UI) used by this flow.

  • No labels