The following beans are defined, or expected to be defined in, authn/remoteuser-internal-authn-config.xml: Bean ID | Type | Default | Description |
---|
shibboleth.authn.RemoteUser.checkRemoteUser | Boolean | true | Whether to check REMOTE_USER for a username | shibboleth.authn.RemoteUser.checkAttributes | List<String> |
| A list of servlet request attributes to check for a username | shibboleth.authn.RemoteUser.checkHeaders | List<String> |
| A list of request headers to check for a username | shibboleth.authn.RemoteUser.Lowercase | Boolean | false | Whether to lowercase the username | shibboleth.authn.RemoteUser.Uppercase | Boolean | false | Whether to uppercase the username | shibboleth.authn.RemoteUser.Trim | Boolean | true | Whether to trim leading and trailing whitespace from the username | shibboleth.authn.RemoteUser.Transforms | List<Pair<String,String>> |
| Pairs of regular expressions and replacement expressions to apply to the username | shibboleth.authn.RemoteUser.whitelistedUsernames | List<String> |
| A list of usernames to accept (blocking all others) | shibboleth.authn.RemoteUser.blacklistedUsernames | List<String> |
| A list of usernames to reject (accepting all others) | shibboleth.authn.RemoteUser.matchExpression | Pattern |
| A regular expression that must match the username | shibboleth.authn.RemoteUser.resultCachingPredicate | Predicate<ProfileRequestContext> |
| An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | shibboleth.authn.RemoteUser.addDefaultPrincipals | Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
The following beans are defined, or expected to be defined in, authn/remoteuser-internal-authn-config.xml: Bean ID | Type | Description |
---|
shibboleth.authn.RemoteUser.Transforms | List<Pair<String,String>> | Pairs of regular expressions and replacement expressions to apply to the username | shibboleth.authn.RemoteUser.resultCachingPredicate | Predicate<ProfileRequestContext> | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
The flow-specific properties usable via authn/authn.properties are: Name | Default | Description |
---|
idp.authn.RemoteUserInternal.checkRemoteUser | true | Whether to check REMOTE_USER for a username | idp.authn.RemoteUserInternal.checkAttributes |
| Comma-delimited lists of request attributes to check for a username | idp.authn.RemoteUserInternal.checkHeaders |
| Comma-delimited list of request headers to check for a username | idp.authn.RemoteUserInternal.trim | true | Whether to trim leading and trailing whitespace from the username before validating it | idp.authn.RemoteUserInternal.lowercase | false | Whether to lowercase the username before validating it | idp.authn.RemoteUserInternal.uppercase | false | Whether to uppercase the username before validating it | idp.authn.RemoteUserInternal.matchExpression |
| A regular expression that must match the username | idp.authn.RemoteUserInternal.allowedUsernames |
| Comma-delimited list of usernames to accept (blocking all others) | idp.authn.RemoteUserInternal.deniedUsernames |
| Comma-delimited list of usernames to deny (accepting all others) |
The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
---|
idp.authn.RemoteUserInternal.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.RemoteUserInternal.nonBrowserSupported | true | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.RemoteUserInternal.passiveAuthenticationSupported | false | Whether the flow allows for passive authentication | idp.authn.RemoteUserInternal.forcedAuthenticationSupported | false | Whether the flow supports forced authentication | idp.authn.RemoteUserInternal.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.RemoteUserInternal.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.RemoteUserInternal.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.RemoteUserInternal.lifetime | %{idp.authn.defaultLifetime:PT1H} | Lifetime of results produced by this flow | idp.authn.RemoteUserInternal.inactivityTimeout | %{idp.authn.defaultTimeout:PT30M} | Inactivity timeout of results produced by this flow | idp.authn.RemoteUserInternal.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.RemoteUserInternal.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.RemoteUserInternal.subjectDecorator |
| Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.RemoteUserInternal.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.RemoteUserInternal.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
Most of the flows, including this one, default to describing themselves in terms of "password"-based authentication, so the supportedPrincipals property defaults to the following XML: <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
<bean parent="shibboleth.SAML1AuthenticationMethod"
c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
</list> |
In property form, this is expressed as (note especially the trailing commas, which MUST be there): idp.authn.RemoteUserInternal.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
saml1/urn:oasis:names:tc:SAML:1.0:am:password |
To replace the internally defined flow descriptor bean, the following XML is required: <util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.RemoteUserInternal.order:1000}"
p:nonBrowserSupported="%{idp.authn.RemoteUserInternal.nonBrowserSupported:true}"
p:passiveAuthenticationSupported="%{idp.authn.RemoteUserInternal.passiveAuthenticationSupported:false}"
p:forcedAuthenticationSupported="%{idp.authn.RemoteUserInternal.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.RemoteUserInternal.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.RemoteUserInternal.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.RemoteUserInternal.discoveryRequired:false}"
p:lifetime="%{idp.authn.RemoteUserInternal.lifetime:%{idp.authn.defaultLifetime:PT1H}}"
p:inactivityTimeout="%{idp.authn.RemoteUserInternal.inactivityTimeout:%{idp.authn.defaultTimeout:PT30M}}"
p:reuseCondition-ref="#{'%{idp.authn.RemoteUserInternal.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.RemoteUserInternal.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.RemoteUserInternal.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.RemoteUserInternal.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |