{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Current File(s):","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"conf/authn/authn.properties, conf/relying-party.xml","type":"text","marks":[{"type":"em"}]},{"type":"hardBreak"},{"text":"Format:","type":"text","marks":[{"type":"strong"}]},{"text":" Properties, Native Spring","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"3"}},"macroMetadata":{"macroId":{"value":"ac55547c02c8ff16cd08e72c7e3851dd"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"bcebf08d-1a98-498c-8960-4d28f57a5a2a"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The authn/SAML login flow supports the use of a separate SAML 2.0 Identity Provider to authenticate the subject, with the IdP acting as a SAML proxy. This flow provides native SAML support with additional features and flexibility without the need to deploy a separate SAML Service Provider implementation along with the IdP.","type":"text"}]},{"type":"paragraph","content":[{"text":"The majority of this flow's behavior is actually derived from pre-existing configuration sources, in particular the use of SAML metadata (but for the IdP rather than the more usual SP metadata), and, if required, the use of ","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508044"}}]},{"text":" to override behavior for specific IdPs.","type":"text"}]},{"type":"paragraph","content":[{"text":"The rest of the configuration needed is generally for the decoding and mapping/propagation of Attribute data from SAML, into the IdP, and usually on to SPs, which is common to most proxy authentication scenarios.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Be aware that the issues raised by ","type":"text"},{"text":"SameSite","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199501597"}}]},{"text":" are fatal to this feature. If you have not yet deployed the filter provided as a workaround (possibly including accomodations for older Apple browsers), you will experience sporadic failures with this feature during the SAML POST back to the proxying Shibboleth IdP.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"General Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"There are only two core requirements for this flow to operate:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The entityID of the Identity Provider to use must be known or determined “somehow”.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML metadata for that Identity Provider must be available via the usual ","type":"text"},{"text":"MetadataConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199506698"}}]},{"text":".","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The entityID to use can be established either via static configuration, a lookup function, or prior to this flow running by providing some form of IdP Discovery service and toggling the flow's ","type":"text"},{"text":"discoveryRequired","type":"text","marks":[{"type":"code"}]},{"text":" property (as discussed more generally in the ","type":"text"},{"text":"AuthenticationConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505085"}}]},{"text":" topic).","type":"text"}]},{"type":"paragraph","content":[{"text":"When proxying all traffic to a different back-end operated by the same organization, the static configuration approach of a property is usually sufficient. For such simpler cases, the ","type":"text"},{"text":"idp.authn.SAML.proxyEntityID","type":"text","marks":[{"type":"strong"}]},{"text":" property can be set, to directly specify an IdP to use, or a bean named ","type":"text"},{"text":"shibboleth.authn.SAML.discoveryFunction","type":"text","marks":[{"type":"strong"}]},{"text":" can be defined (using ","type":"text"},{"text":"global.xml","type":"text","marks":[{"type":"em"}]},{"text":" is fine) to produce the entityID of the IdP to use.","type":"text"}]},{"type":"paragraph","content":[{"text":"If some form of user interface is required to perform discovery, this must be achieved by implementing that in form of a compliant Discovery service (the ","type":"text"},{"text":"standard protocol","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile"}}]},{"text":" is based on simple redirects, so is readily implementable).","type":"text"}]},{"type":"paragraph","content":[{"text":"The SAML metadata describing the IdP you are proxying to is akin to the metadata that would drive any typical Shibboleth SP, and (apart from testing) should of course either be locally managed, or be refreshably-sourced from a trusted third-party with appropriate constraints on validity window, signature validation, and so forth applied.","type":"text"}]},{"type":"paragraph","content":[{"text":"Metadata representing the SP \"half\" of the Shibboleth IdP proxy (which you may need to give to the upstream IdP(s)) is of course also standard:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The IdP's entityID is presumed to be the same one applying to normal outbound use, but can be overridden if required (via the ","type":"text"},{"text":"issuer","type":"text","marks":[{"type":"code"}]},{"text":" property on a ","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508044"}}]},{"text":" bean).","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" for the IdP-acting-as-SP supports only the HTTP-POST binding and is located at the path \"/idp/profile/Authn/SAML2/POST/SSO\".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Encryption is fully supported; you may not have bothered doing anything with the existing encryption key generated at install time but it will be used by default to decrypt incoming SAML and its certificate would need to be published in the metadata you give to the proxied IdP. Of course you are free not to do this and accept plaintext assertions.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If you wish to sign requests, you would also need to include the IdP’s usual signing certificate. Note that the primary use case for this is logout, but the proxying support doesn't include any logout integration at present. If logout is making fire, logout and proxying together is quantum physics.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"A Note About Intra/Azure","type":"text"}]},{"type":"paragraph","content":[{"text":"Apparently Microsoft’s implementation enforces the underlying schema rule in SAML that the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element contains an actual URI. The IdP will populate this element with the identity of the downstream SP for which it is proxying authentication, and if it doesn’t happen to match Microsoft’s almost-certainly inexact determination about what constitutes a legal value, they reject it. If you’re proxying to it, you may need to set the SSO ","type":"text"},{"text":"ignoreScoping","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508680"}}]},{"text":" profile configuration property to skip the creation of the entire ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element in the request.","type":"text"}]},{"type":"paragraph","content":[{"text":"It is notable that Azure happily allows the actual entityID of the SPs it connects to to contain any string value, despite that being unsafe, insecure, and of much greater consequence than the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Post-Processing","type":"text"}]},{"type":"paragraph","content":[{"text":"The bulk of the configuration of this flow addresses the post-processing of the SAML Assertions that are returned in a successful response.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Authentication Time","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, the ","type":"text"},{"text":"AuthenticationResult","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.AuthenticationResult"}}]},{"text":" created will be stamped with the ","type":"text"},{"text":"AuthnInstant","type":"text","marks":[{"type":"code"}]},{"text":" attribute supplied by the proxied IdP, which has implications on the policy you set for lifetime and timeout of these results. If you prefer to ignore that value and use the current time instead, you can set the ","type":"text"},{"text":"SAML2.SSO","type":"text","marks":[{"type":"strong"},{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508680"}}]},{"text":" profile bean’s ","type":"text"},{"text":"isProxiedAuthnInstant","type":"text","marks":[{"type":"code"}]},{"text":" setting to \"false\".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Attribute Extraction and Filtering","type":"text"}]},{"type":"paragraph","content":[{"text":"There are two sources of ","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" extraction possible:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"AttributeRegistryConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510514"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"An optional function bean named ","type":"text"},{"text":"shibboleth.authn.SAML.attributeExtractionStrategy","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"paragraph","content":[{"text":"The first is a largely automated process to decode SAML Attributes based on standard rules, possibly supplemented by custom rules.","type":"text"}]},{"type":"paragraph","content":[{"text":"The second is an extension point for implementing any custom requirements you have, primarily for extracting data from the surrounding SAML Assertion or Response into information to operate on. The function is of Java type ","type":"text"},{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Collection","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.Collection?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":">> and may be defined in ","type":"text"},{"text":"conf/global.xml","type":"text","marks":[{"type":"em"}]},{"text":". If all you need to consume are SAML Attributes, you should stick to the built-in mechanism and define registry rules for decoding them.","type":"text"}]},{"type":"paragraph","content":[{"text":"Once the results have been produced, the ","type":"text"},{"text":"AttributeFilterConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199501794"}}]},{"text":" is applied to the results. This is a reversal of the usual filtering process of outbound data and operates with the proxying IdP itself as the \"requester\" and the proxied IdP as the \"issuer\", applying the Requester- and Issuer-based rules, respectively. It is also often desirable to apply \"","type":"text"},{"text":"scope filtering","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199502580"}}]},{"text":"\" based on metadata when defining acceptance rules for scoped attributes.","type":"text"}]},{"type":"paragraph","content":[{"text":"If discriminating based on the issuer isn't sufficient, \"Inbound\" and \"Outbound\" policy rules are also provided for limiting policies based on the direction of the transaction.","type":"text"}]},{"type":"paragraph","content":[{"text":"No matter how you ultimately want to write these rules, it’s a good idea after testing to review your existing filtering policies to ensure you’re not allowing anything inbound you may not be intending to.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Example","type":"text"}]},{"type":"paragraph","content":[{"text":"An IdP proxying for a dedicated system with some discrete attributes might have a filter policy such as the following:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example inbound filter policy","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n \n\t\n\t\n\t\n\t\n\t\t\n\t\n","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Subject Population","type":"text"}]},{"type":"paragraph","content":[{"text":"As with any other login flow, the product will be an ","type":"text"},{"text":"AuthenticationResult","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.AuthenticationResult"}}]},{"text":" containing a Java ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject?module=java.sql"}}]},{"text":" with some number of ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal?module=java.sql"}}]},{"text":" objects. Unlike many of the flows, the source of the Principals is somewhat more complex and flexible, and does not generally lend itself to a trivial determination of a principal name during ","type":"text"},{"text":"subject canonicalization","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199509628"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"The content of the Subject produced consists of the following:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If the incoming Assertion(s) contained a ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element, then a ","type":"text"},{"text":"NameIDPrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.saml.authn.principal.NameIDPrincipal"}}]},{"text":" is included that wraps that data.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The incoming ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element is used to construct one or more Principal objects that represent the quality of the authentication peformed. This is discussed further below.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A ","type":"text"},{"text":"ProxyAuthenticationPrincipal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal"}}]},{"text":" is included that will contain the chain of proxied IdPs used, beginning with the immediate assertion issuer and including any additional authorities identities in the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", if any.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Any ","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":" objects resulting from the initial extraction and filtering stage are wrapped in ","type":"text"},{"text":"IdPAttributePrincipals","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.principal.IdPAttributePrincipal"}}]},{"text":".","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Most of that is automatic, but the processing of the SAML Authentication Context information is potentially complex because of the need to potentially translate the information received into a different form to align to the values the IdP uses internally and/or passes on to downstream SPs. By default, the information passes through a built-in translation function that relies on a map defined in ","type":"text"},{"text":"conf/authn/authn-comparison.xml,","type":"text","marks":[{"type":"em"}]},{"text":" discussed in the ","type":"text"},{"text":"AuthenticationConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505085"}}]},{"text":" topic. It's possible to override this translation behavior using the profile configuration (see Advanced Behavior below), but this is only required for interoperation with non-compliant SAML software.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Subject Canonicalization","type":"text"}]},{"type":"paragraph","content":[{"text":"As with all login flows, there is a requirement to process the ","type":"text"},{"text":"AuthenticationResult","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.authn.AuthenticationResult"}}]},{"text":" into a normalized principal name but because of the more complex nature of the resulting Subject, this isn't a trivial thing to do. Much as with the ","type":"text"},{"text":"X.509","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199506319"}}]},{"text":" flow, there is no simple \"username\" to rely on and the system requires some dedicated configuration to know what to do. Generally, either the ","type":"text"},{"text":"attribute","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505212"}}]},{"text":" or ","type":"text"},{"text":"SAML2ProxyTransform","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505934"}}]},{"text":" c14n flows are used, depending on whether the source of the principal name is based on a SAML Attribute or NameID, respectively.","type":"text"}]},{"type":"paragraph","content":[{"text":"In the former (attribute) case, the result can be pulled directly from the upstream IdP or actually come from the ","type":"text"},{"text":"AttributeResolverConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199502864"}}]},{"text":", so there's a lot of flexibility in what to return, but simple passthrough or transform of a SAML Attribute is easy to express. An example below demonstrates this approach.","type":"text"}]},{"type":"paragraph","content":[{"text":"Using a NameID is strongly discouraged for lots of reasons, not least because it's quite complex to support, but the ","type":"text"},{"text":"SAML2ProxyTransform","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505934"}}]},{"text":" topic discusses how to configure that support.","type":"text"}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"Note that a common use case is likely to be importing an opaque identifier such as one of the new ","type":"text"},{"text":"Subject ID","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.oasis-open.org/security/SAMLSubjectIDAttr"}}]},{"text":" Attributes. While it's possible to directly expose such a value as the principal name, it is probably the case that a lot of mature proxy deployments would be expected to store and map that value to something of their own. That is not exactly a built-in feature at this point, but the most viable path to such a feature at present is probably to leverage a custom post-authentication ","type":"text"},{"text":"interceptor","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199509815"}}]},{"text":" that might detect an unlinked value and provide the user interface necessary to establish and store the linking information so that subsequent logins can retrieve the mapping from a typical directory or data source. Such an approach is beyond the scope of the documentation at this point.","type":"text"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Attribute-Sourced C14N Example","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Note that this example assumes that the ","type":"text"},{"text":"only","type":"text","marks":[{"type":"em"}]},{"text":" use of this c14n feature is for this proxying use case. If you have a more complex scenario in which there are local authentication methods used as well and you use this feature for those, it gets more complex to combine them without breaking things, so take that into consideration.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Let's say you have an IdP supplying a standard eduPersonPrincipalName SAML Attribute to you and you want to build the principal name directly from that.","type":"text"}]},{"type":"paragraph","content":[{"text":"Assuming things are set up in a default manner, there's already a rule in the ","type":"text"},{"text":"AttributeRegistryConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199510514"}}]},{"text":" defined to map the SAML Attribute named \"urn:oid:1.3.6.1.4.1.5923.1.1.1.6\" into a scoped IdPAttribute named \"eduPersonPrincipalName\".","type":"text"}]},{"type":"paragraph","content":[{"text":"As is mentioned in the attribute filtering and extraction section above, the IdP won't ingest the attribute to be used in this process unless it's also allowed to pass in by the attribute filter configuration. So, an attribute filter policy must be added to attribute-filter.xml that maps the attribute to be used as an identifier, eduPersonPrincipalName in this example, from the incoming assertion:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example inbound filter policy","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n \n\t\n\t\t\n\t\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Then, configure the ","type":"text"},{"text":"attribute","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505212"}}]},{"text":" post-login c14n flow by pointing it at \"eduPersonPrincipalName\" as a source. The properties to enable this are commented out in ","type":"text"},{"text":"conf/c14n/subject-c14n.properties","type":"text","marks":[{"type":"em"}]},{"text":" and are noted below.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/c14n/subject-c14n.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n ","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/c14n/subject-c14n.properties","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"idp.c14n.attribute.attributeSourceIds = eduPersonPrincipalName\n# Allows direct use of attributes via SAML proxy authn, bypasses resolver\nidp.c14n.attribute.resolveFromSubject = true\nidp.c14n.attribute.resolutionCondition = shibboleth.Conditions.FALSE","type":"text"}]},{"type":"paragraph","content":[{"text":"The same general approach demonstrated above works for any attribute you can map in from the response.","type":"text"}]},{"type":"paragraph","content":[{"text":"The last property there is important, as it bypasses the actual running of the Attribute Resolver unnecessarily in order to simply pull in an imported Attribute from the upstream IdP.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Attribute Resolution","type":"text"}]},{"type":"paragraph","content":[{"text":"Finally, many proxying scenarios will often require some form of attribute pass-through or manipulation of data provided by the proxy as outgoing information. As a shorthand, the ","type":"text"},{"text":"SubjectDataConnector","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199504610"}}]},{"text":" can be applied to produce internal or even auto-exported attributes within the ","type":"text"},{"text":"AttributeResolverConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199502864"}}]},{"text":", and they can be used directly or leveraged as inputs to other attribute definitions or data connectors.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Advanced Behavior","type":"text"}]},{"type":"paragraph","content":[{"text":"Customizing the flow's behavior using profile configuration options is simple in practice, though may be a bit counter-intuitive: you treat the proxied Identity Provider as a \"relying party\" and leverage the usual mechanisms in ","type":"text"},{"text":"conf/relying-party.xml","type":"text","marks":[{"type":"em"}]},{"text":" to alter behavor using the ","type":"text"},{"text":"SAML2.SSO","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508680"}}]},{"text":" profile configuration bean. That is, the same way you customize the behavior of SAML 2.0 SSO for SPs is also used to customize some of the behavior for SAML 2.0 IdPs.","type":"text"}]},{"type":"paragraph","content":[{"text":"Since SAML 2.0 SSO is normally one of the default supported profiles, the general use of this flow is enabled simply by providing IdP metadata and invoking the flow. If you were to remove the \"SAML2.SSO\" bean from the DefaultRelyingParty's ","type":"text"},{"text":"profileConfigurations","type":"text","marks":[{"type":"code"}]},{"text":" property, the flow would fail to operate. In the same way, creating an override that applies to the proxied IdP with a customized bean will adjust the behavior of the profile in a variety of ways that mirror the use of the settings in the opposite direction.","type":"text"}]},{"type":"paragraph","content":[{"text":"Not all the settings actually apply to the proxying use case, but most of them have an analog interpretation and some are specific to proxying.","type":"text"}]},{"type":"paragraph","content":[{"text":"There are also some defaults that act somewhat differently depending on which use case is involved. The ","type":"text"},{"text":"forceAuthn","type":"text","marks":[{"type":"code"}]},{"text":" setting for example can be turned on normally to forcibly apply that option to the request issued, but the default is not actually false when proxying but rather passes through whatever setting was in effect from the original request from the SP.","type":"text"}]},{"type":"paragraph","content":[{"text":"Similarly, the ","type":"text"},{"text":"defaultAuthenticationMethods","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"authnContextComparison","type":"text","marks":[{"type":"code"}]},{"text":" properties default to nothing normally but when proxying cause the original SP's requirements to be expressed to the proxied IdP in possibly translated form. There is some more general material on the mapping of ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" requirements in the ","type":"text"},{"text":"parent topic","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505085"}}]},{"text":", under Advanced Topics → Proxying → Authentication Type Mapping.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note that as with all other profile configuration behavior, it's possible to ","type":"text"},{"text":"leverage metadata extension tags","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199508127"}}]},{"text":" to drive these settings.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"Beans"},"content":[{"type":"paragraph","content":[{"text":"The following beans if needed may be defined in ","type":"text"},{"text":"global.xml","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"c4e2657b-b018-4e24-a50b-972feb389ceb"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[545.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[630.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[545.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.SAML.discoveryFunction","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[630.0]},"content":[{"type":"paragraph","content":[{"text":"Used to derive entityID of IdP to use if not using a static property and IdP Discovery is not performed prior to flow operation","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[545.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.SAML.externalAuthnPathStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[630.0]},"content":[{"type":"paragraph","content":[{"text":"Optional function bean to override the redirection expression to use for the protected resource","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[545.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.SAML.resultCachingPredicate","type":"text"}]},{"type":"paragraph","content":[{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[630.0]},"content":[{"type":"paragraph","content":[{"text":"Bean that can be defined to control whether to preserve the authentication result in an IdP session","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[545.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.authn.SAML.attributeExtractionStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Collection","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.Collection?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"IdPAttribute","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.attribute.IdPAttribute"}}]},{"text":">>","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[630.0]},"content":[{"type":"paragraph","content":[{"text":"Optional custom function to produce additional IdPAttributes from the SAML response","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"SAML-Specific Properties"},"content":[{"type":"paragraph","content":[{"text":"The properties specific to this flow defined in ","type":"text"},{"text":"authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" are:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"33f88188-7ee7-48b7-99d0-72769174f6f8"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"Name / Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.externalAuthnPath","type":"text"}]},{"type":"paragraph","content":[{"text":"URL path","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"servletRelative:/Authn/SAML2/POST/SSO","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Spring Web Flow redirection expression for the IdP's AssertionConsumerService, defaults to “”","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.proxyEntityID","type":"text"}]},{"type":"paragraph","content":[{"text":"URI","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Statically-defined entityID of IdP to use for authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.assertionValidator","type":"text"}]},{"type":"paragraph","content":[{"text":"AssertionValidator","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.saml.saml2.assertion.AssertionValidator"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Optional bean ID of ","type":"text"},{"text":"AssertionValidator","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.saml.saml2.assertion.AssertionValidator"}}]},{"text":" to run","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.NameIDLookupStrategy","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"String","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.lang.String?module=java.sql"}}]},{"text":"> ","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Optional bean ID of function to return a value to include in the AuthnRequest’s Subject element","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.convertUnknownPrincipals ","type":"text"},{"text":"5.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]},{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Affects the handling of unrecognized Principal types returned from the defaultAuthenticationMethods profile configuration setting when building SAML requests. Normally they are ignored, but when true, the underlying string value will be extracted and wrapped in a SAML ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" in the request.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[435.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.outboundMessageHandlerFunction","type":"text"}]},{"type":"paragraph","content":[{"text":"Function","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Function?module=java.sql"}}]},{"text":"<","type":"text"},{"text":"MessageContext","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.net/cgi-bin/java-opensaml.cgi/org/opensaml/messaging/context/MessageContext"}}]},{"text":",Exception> ","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[318.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[528.0]},"content":[{"type":"paragraph","content":[{"text":"Optional bean ID of function that can apply logic prior to the signing and encoding steps for the request. The function should return null on success but may return an exception to signal a failure.","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"General Properties"},"content":[{"type":"paragraph","content":[{"text":"The general properties configuring this flow via ","type":"text"},{"text":"authn/authn.properties","type":"text","marks":[{"type":"em"}]},{"text":" are:","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"526a4f25-4353-44ce-bac6-5b8b51a5c9ec"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.order","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"1000","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Flow priority relative to other enabled login flows (lower is \"higher\" in priority)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.nonBrowserSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow should handle non-browser request profiles (e.g., ECP)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.passiveAuthenticationSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow allows for passive authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.forcedAuthenticationSupported","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow supports forced authentication","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.proxyRestrictionsEnforced","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.enforceProxyRestrictions:true}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow enforces upstream IdP-imposed restrictions on proxying","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.proxyScopingEnforced","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.discoveryRequired","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to invoke IdP-discovery prior to running flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.lifetime","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.defaultLifetime:PT1H}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Lifetime of results produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.inactivityTimeout","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"%{idp.authn.defaultTimeout:PT30M}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Inactivity timeout of results produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.lifetimeStrategy ","type":"text"},{"text":"5.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Function returning null","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of Function<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",Duration> overriding a specific result’s lifetime","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.inactivityTimeoutStrategy ","type":"text"},{"text":"5.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Function returning null","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of Function<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",Duration> overriding a specific result’s inactivity timeout","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.reuseCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> controlling result reuse for SSO","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.activationCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"shibboleth.Conditions.TRUE","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":"> determining whether flow is usable for request","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.subjectDecorator","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID of ","type":"text"},{"text":"BiConsumer","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.BiConsumer"}}]},{"text":"<","type":"text"},{"text":"ProfileRequestContext","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.profile.context.ProfileRequestContext"}}]},{"text":",","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":"> for subject customization","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.supportedPrincipals","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"(see below)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-delimited list of protocol-specific ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" strings associated with flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.addDefaultPrincipals","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Whether to auto-attach the preceding set of ","type":"text"},{"text":"Principal","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.security.Principal"}}]},{"text":" objects to each ","type":"text"},{"text":"Subject","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/javax.security.auth.Subject"}}]},{"text":" produced by this flow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[451.0]},"content":[{"type":"paragraph","content":[{"text":"idp.authn.SAML.c14n.flows ","type":"text"},{"text":"5.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[450.0]},"content":[{"type":"paragraph","content":[{"text":"Comma-delimited list of c14n methods (beans) to run after use of this login flow","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"While the default principal support is a typical password-centric set, in most cases the ","type":"text"},{"text":"addDefaultPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" property is left false and the values used in responses will be mapped from the value supplied by the proxied IdP. However, to handle requests properly, the ","type":"text"},{"text":"supportedPrincipals","type":"text","marks":[{"type":"code"}]},{"text":" property may need to be adjusted to account for the possible values that SPs should be allowed to request.","type":"text"}]}]},{"type":"expand","attrs":{"title":"Flow Descriptor XML"},"content":[{"type":"paragraph","content":[{"text":"To replace the internally defined flow descriptor bean, the following XML is required:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n \n \n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"In older versions and upgraded systems, this list is defined in ","type":"text"},{"text":"conf/authn/general-authn.xml","type":"text","marks":[{"type":"em"}]},{"text":". In V5, no default version of the list is provided and it may simply be placed in ","type":"text"},{"text":"conf/global.xml","type":"text","marks":[{"type":"em"}]},{"text":" if needed.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"More Examples","type":"text"}]},{"type":"paragraph","content":[{"text":"These are non-curated examples from contributors to supplement the core documentation.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1459979597"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889"}},{"text":" ","type":"text"}]}]}]},{"type":"paragraph"}],"version":1}