Overview

The authn/Function login flow is an extension point that allows authentication to be handled by a deployer-supplied Function object, which can be written in Java, a scripting language, etc. It simplifies authoring certain kinds of custom login flows (essentially it provides the "flow" part) and potentially simpifies some MultiFactorAuthnConfiguration scenarios by moving some of the logic into a separate component.

General Configuration

Use authn/function-authn-config.xml to configure this flow. Only a couple of beans are defined, chiefly the core of the flow, a required bean named shibboleth.authn.Function.ResultLookupStrategy, of type Function<ProfileRequestContext,Object>

If the function returns a null, then authentication fails (this is how to signal a controlled failure). Otherwise, the function can return a String (the username), a Principal, or a Subject, and the system will construct an appropriate AuthenticationResult around whatever is returned.

Reference

Beans

Bean ID	Type	Default	Function
shibboleth.authn.Function.resultLookupStrategy	Function<ProfileRequestContext,Object>		A function to produce the authentication result (see above)
shibboleth.authn.Function.resultCachingPredicate	Predicate<ProfileRequestContext>		An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
shibboleth.authn.Function.addDefaultPrincipals	Boolean	true	Whether to add the content of the `supportedPrincipals` property of the underlying flow descriptor to the resulting Subject

Notes

None