The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
FunctionAuthnConfiguration
- Scott Cantor
This feature depends on V3.4.0 of the IdP software.
Current File(s): conf/authn/function-authn-config.xml
Format: Native Spring
Overview
The authn/Function login flow is an extension point that allows authentication to be handled by a deployer-supplied Function object, which can be written in Java, a scripting language, etc. It simplifies authoring certain kinds of custom login flows (essentially it provides the "flow" part) and potentially simpifies some MultiFactorAuthnConfiguration scenarios by moving some of the logic into a separate component.
General Configuration
Use authn/function-authn-config.xml to configure this flow. Only a couple of beans are defined, chiefly the core of the flow, a required bean named shibboleth.authn.Function.ResultLookupStrategy, of type Function<ProfileRequestContext,Object>
If the function returns a null, then authentication fails (this is how to signal a controlled failure). Otherwise, the function can return a String (the username), a Principal, or a Subject, and the system will construct an appropriate AuthenticationResult around whatever is returned.
Reference
Beans
| Bean ID | Type | Default | Function |
|---|---|---|---|
| shibboleth.authn.Function.resultLookupStrategy | Function<ProfileRequestContext,Object> | A function to produce the authentication result (see above) | |
| shibboleth.authn.Function.resultCachingPredicate | Predicate<ProfileRequestContext> | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | |
| shibboleth.authn.Function.addDefaultPrincipals | Boolean | true | Whether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
Notes
None