{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Current File(s):","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"conf/authn/x509-authn-config.xml, (edit-)webapp/WEB-INF/web.xml, (edit-)webapp/x509-prompt.jsp, authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" (V4.1+)","type":"text"},{"type":"hardBreak"},{"text":"Format:","type":"text","marks":[{"type":"strong"}]},{"text":" Native Spring, Properties (V4.1+)","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"d99dbe13-9069-4c15-80ee-3fe02e9a948c"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"524b1789-b5f6-40e4-bc43-2c05482dd83e"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The authn/X509 login flow leverages any surrounding mechanism you have available for TLS client certificate authentication, provided the standard servlet request attribute (\"javax.servlet.request.X509Certificate\") is populated. By default, this flow is configured without support for advanced authentication controls like passive or forced authentication since this is not generally possible with client certificate authentication.","type":"text"}]},{"type":"paragraph","content":[{"text":"The result of this flow is a Java ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject?module=java.sql"}}]},{"text":" containing an ","type":"text"},{"text":"X500Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.x500.X500Principal?module=java.sql"}}]},{"text":" derived from the subject of the certificate, and the certificate is optionally added as a public credential of the ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject?module=java.sql"}}]},{"text":". Note that no actual \"username\" is produced; rather, a suitable ","type":"text"},{"text":"post-login Subject Canonicalization","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631709"}}]},{"text":" flow must be enabled/configured to pull a suitable principal name out of the ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject?module=java.sql"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"This flow is implemented as a special case of the ","type":"text"},{"text":"External","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631607"}}]},{"text":" flow that happens to use a supplied servlet to implement the External contract that supports extraction of the certificate from the request. Rather than customizing this flow, use the External flow directly to do more advanced things.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that if you have a web server that is configured to perform the certificate evaluation for you and populate a header or variable with the \"username\" to use based on the certificate, you almost certainly will want to use the ","type":"text"},{"text":"RemoteUser","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631618"}}]},{"text":" flow instead. This flow pulls in the certificate as the primary result of the authentication and relies on downstream logic (often the ","type":"text"},{"text":"x500","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631624"}}]},{"text":" subject c14n flow) to get a username out of it.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enabling Module (V4.1+)","type":"text"}]},{"type":"paragraph","content":[{"text":"For V4.1+, configuring and using this feature requires that you first enable the \"idp.authn.X509\" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.","type":"text"}]},{"type":"codeBlock","content":[{"text":"(Windows)\nC:\\opt\\shibboleth-idp> bin\\module.bat -t idp.authn.X509 || bin\\module.bat -e idp.authn.X509\n \n(Other)\n$ bin/module.sh -t idp.authn.X509 || bin/module.sh -e idp.authn.X509","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"General Configuration","type":"text"}]},{"type":"expand","attrs":{"title":"V4.0"},"content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"conf/authn/x509-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" to configure this flow.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"shibboleth.authn.X509.externalAuthnPath","type":"text","marks":[{"type":"strong"}]},{"text":" bean is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at ","type":"text"},{"text":"/Authn/X509","type":"text","marks":[{"type":"em"}]},{"text":"). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the ","type":"text"},{"text":"External","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631607"}}]},{"text":" flow is likely a better choice to use.","type":"text"}]}]},{"type":"expand","attrs":{"title":"V4.1+"},"content":[{"type":"paragraph","content":[{"text":"Most of the usual options are available via ","type":"text"},{"text":"authn/authn.properties,","type":"text","marks":[{"type":"em"}]},{"text":" and some more advanced cases will require defining/adjusting bean definitions in ","type":"text"},{"text":"authn/x509-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"idp.authn.X509.externalAuthnPath","type":"text","marks":[{"type":"strong"}]},{"text":" property is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at ","type":"text"},{"text":"/Authn/X509","type":"text","marks":[{"type":"em"}]},{"text":"). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the ","type":"text"},{"text":"External","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631607"}}]},{"text":" flow is likely a better choice to use.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"You can make the location dynamic via a bean of type ","type":"text"},{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631618"}}]},{"text":",","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":"> named ","type":"text"},{"text":"shibboleth.authn.X509.externalAuthnPathStrategy","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"shibboleth.authn.X509.ClassifiedMessageMap","type":"text","marks":[{"type":"strong"}]},{"text":" bean is a map of error messages to classified error conditions that isn't generally used with this handler because it usually won't return with any contextual details, but there is a default mapping supplied that signals fall-through to other login flows if no certificate is found or the certificate fails optional validation. This is done by remapping those specific error events into a \"ReselectFlow\" event.","type":"text"}]},{"type":"paragraph","content":[{"text":"The servlet that implements the authentication for this flow is configured by ","type":"text"},{"text":"webapp/WEB-INF/web.xml","type":"text","marks":[{"type":"em"}]},{"text":" and can be given a \"trustEngine\" context parameter that identifies a Spring bean ID of an OpenSAML TrustEngine that should be used to validate the client certificate chain. The best spot to define such a bean is usually ","type":"text"},{"text":"conf/global.xml","type":"text","marks":[{"type":"em"}]},{"text":", as it needs to be in the root Spring context for the servlet to access it. Of course, it's often simpler and more common to do this validation using the web server itself, although that's less flexible.","type":"text"}]},{"type":"paragraph","content":[{"text":"An example of a PKIX-based TrustEngine declaration follows. The bean ID would need to be supplied in ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":" as the \"trustEngine\" context paramater to the servlet.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"global.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"The servlet also supports a boolean parameter, \"saveCertificateToCredentialSet\", which can be set to false to prevent the preservation of the certificate in the resulting credentials to save space if it won't be used.","type":"text"}]},{"type":"paragraph","content":[{"text":"As always, if editing ","type":"text"},{"text":"web.xml","type":"text","marks":[{"type":"em"}]},{"text":", make sure to copy it to ","type":"text"},{"text":"edit-webapp/WEB-INF","type":"text","marks":[{"type":"strong"}]},{"text":" first and make any changes to that copy.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Beans (V4.0)"},"content":[{"type":"paragraph","content":[{"text":"The beans defined, or expected to be defined, in ","type":"text"},{"text":"authn/x509-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" follow:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"df0a8b5d-6756-4a86-841f-08345b84d25b"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[306.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[189.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[392.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[306.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.externalAuthnPath","type":"text"}]},{"type":"paragraph","content":[{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[189.0]},"content":[{"type":"paragraph","content":[{"text":"contextRelative:x509-prompt.jsp","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[392.0]},"content":[{"type":"paragraph","content":[{"text":"Spring Web Flow redirection expression for the protected resource","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[306.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.externalAuthnPathStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631618"}}]},{"text":",","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[189.0]},"content":[{"type":"paragraph","content":[{"text":"A constant function returning the bean value above.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[392.0]},"content":[{"type":"paragraph","content":[{"text":"A function that returns the redirection expression to use for the protected resource","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[306.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.ClassifiedMessageMap","type":"text"}]},{"type":"paragraph","content":[{"text":"Map","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.Map?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":",","type":"text"},{"text":"List","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.List?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":">>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[189.0]},"content":[{"type":"paragraph","content":[{"text":"(see file)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[392.0]},"content":[{"type":"paragraph","content":[{"text":"A map between defined error/warning conditions and events and implementation-specific message fragments to map to them.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[306.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.resultCachingPredicate","type":"text"}]},{"type":"paragraph","content":[{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[189.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[392.0]},"content":[{"type":"paragraph","content":[{"text":"An optional bean that can be defined to control whether to preserve the authentication result in an IdP session","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[306.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.addDefaultPrincipals","type":"text"}]},{"type":"paragraph","content":[{"text":"Boolean","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.Boolean?module=java.sql"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[189.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[392.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to add the content of the ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" property of the underlying flow descriptor to the resulting Subject","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Beans (V4.1+)"},"content":[{"type":"paragraph","content":[{"text":"The beans defined, or expected to be defined, in ","type":"text"},{"text":"authn/x509-authn-config.xml","type":"text","marks":[{"type":"em"}]},{"text":" follow:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"dfe5a096-f608-4767-82fc-0f1ca2fed142"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[227.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[437.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.externalAuthnPathStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631618"}}]},{"text":",","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[227.0]},"content":[{"type":"paragraph","content":[{"text":"A constant function returning the bean value above.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[437.0]},"content":[{"type":"paragraph","content":[{"text":"A function that returns the redirection expression to use for the protected resource","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.ClassifiedMessageMap","type":"text"}]},{"type":"paragraph","content":[{"text":"Map","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.Map?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":",","type":"text"},{"text":"List","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.List?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":">>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[227.0]},"content":[{"type":"paragraph","content":[{"text":"(see file)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[437.0]},"content":[{"type":"paragraph","content":[{"text":"A map between defined error/warning conditions and events and implementation-specific message fragments to map to them.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[350.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.X509.resultCachingPredicate","type":"text"}]},{"type":"paragraph","content":[{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[227.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[437.0]},"content":[{"type":"paragraph","content":[{"text":"An optional bean that can be defined to control whether to preserve the authentication result in an IdP session","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Properties (V4.1+)"},"content":[{"type":"paragraph","content":[{"text":"The flow-specific properties usable via ","type":"text"},{"text":"authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" are:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"721fda60-5a85-491f-b6ca-48a939c71327"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[268.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[248.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[498.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[268.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.externalAuthnPath","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[248.0]},"content":[{"type":"paragraph","content":[{"text":"contextRelative:x509-prompt.jsp","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[498.0]},"content":[{"type":"paragraph","content":[{"text":"Spring Web Flow redirection expression for the protected resource","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"The general properties configuring this flow via ","type":"text"},{"text":"authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" are:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"988e7dc2-e9db-4123-a6d4-1fee5980b395"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.order","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"1000","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.nonBrowserSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow should handle non-browser request profiles (e.g., ECP)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.passiveAuthenticationSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow allows for passive authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.forcedAuthenticationSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow supports forced authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.proxyRestrictionsEnforced","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.enforceProxyRestrictions:true}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow enforces upstream IdP-imposed restrictions on proxying","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.proxyScopingEnforced","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.discoveryRequired","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to invoke IdP-discovery prior to running flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.lifetime","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.defaultLifetime:PT1H}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Lifetime of results produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.inactivityTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.defaultTimeout:PT30M}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Inactivity timeout of results produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.reuseCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> controlling result reuse for SSO","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.activationCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> determining whether flow is usable for request","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.subjectDecorator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"BiConsumer","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiConsumer"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":"> for subject customization","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.supportedPrincipals","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"(see below)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-delimited list of protocol-specific ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" strings associated with flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[236.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.X509.addDefaultPrincipals","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[203.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to auto-attach the preceding set of ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" objects to each ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" produced by this flow","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"As a non-password based flow, the ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" property defaults to the following XML:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"In property form, this is expressed as (note the trailing commas):","type":"text"}]},{"type":"codeBlock","content":[{"text":"idp.authn.X509.supportedPrincipals = \\\n saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \\\n saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \\\n saml1/urn:ietf:rfc:2246","type":"text"}]}]},{"type":"expand","attrs":{"title":"Flow Descriptor XML (V4.1+)"},"content":[{"type":"paragraph","content":[{"text":"To replace the internally defined flow descriptor bean, the following XML is required:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"In older versions and upgraded systems, this list is defined in ","type":"text"},{"text":"conf/authn/general-authn.xml","type":"text","marks":[{"type":"em"}]},{"text":". In V4.1+, no default version of the list is provided and it may simply be placed in ","type":"text"},{"text":"conf/global.xml","type":"text","marks":[{"type":"em"}]},{"text":" if needed.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Notes","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that this flow is configured by default without support for non-browser profiles (namely ","type":"text"},{"text":"ECP","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/CONCEPT/pages/928645114"}}]},{"text":") because the ","type":"text"},{"text":"X509Internal","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631626"}}]},{"text":" flow is a better choice when a browser isn't required. It eliminates the extra redirects (and the optional HTML UI) used by this flow.","type":"text"}]}],"version":1}

Browser not supported