X509AuthnConfiguration

Current File(s): authn/authn.properties, edit-webapp/x509-prompt.jsp
Format: Properties, Native Spring

1 Overview
2 Enabling Module
3 General Configuration
- 3.1 global.xml
4 Reference
5 Notes

Overview

The authn/X509 login flow leverages any surrounding mechanism you have available for TLS client certificate authentication, provided the standard servlet request attribute (now "jakarta.servlet.request.X509Certificate") is populated. By default, this flow is configured without support for advanced authentication controls like passive or forced authentication since this is not generally possible with client certificate authentication.

The result of this flow is a Java Subject containing an X500Principal derived from the subject of the certificate, and the certificate is optionally added as a public credential of the Subject. Note that no actual "username" is produced; rather, a suitable post-login Subject Canonicalization flow must be enabled/configured to pull a suitable principal name out of the Subject.

This flow is implemented as a special case of the External flow that happens to use a supplied servlet to implement the External contract that supports extraction of the certificate from the request. Rather than customizing this flow, use the External flow directly to do more advanced things.

Note that if you have a web server that is configured to perform the certificate evaluation for you and populate a header or variable with the "username" to use based on the certificate, you almost certainly will want to use the RemoteUser flow instead. This flow pulls in the certificate as the primary result of the authentication and relies on downstream logic (often the x500 subject c14n flow) to get a username out of it.

Enabling Module

Configuring and using this feature requires that you first enable the "idp.authn.X509" module if it isn't already enabled. Systems upgraded from older releases generally come pre-enabled due to the prior state of the configuration tree.

(Windows)
C:\opt\shibboleth-idp> bin\module.bat -t idp.authn.X509 || bin\module.bat -e idp.authn.X509
 
(Other)
$ bin/module.sh -t idp.authn.X509 || bin/module.sh -e idp.authn.X509

General Configuration

Use authn/authn.properties to configure this flow.

Note for Upgraded Systems

Previous versions of the software relied on settings in web.xml to enable the required servlet and adjust its behavior, but this has been supplanted by an automatic registration process that allows the servlet to be registered at runtime and the settings controlled with Spring, allowing use of properties to control behavior.

Upgraded systems will continue to function as before, but new installs will depend solely on a single <context-param> defined in web.xml to enable the servlet that supports this feature, as discussed below.

Related, the old file conf/authn/x509-authn-config.xml is now supported only for compatibility and generally not installed or needed going forward.

A bean named shibboleth.authn.X509.TrustEngine can be defined to validate the client certificate chain. The best spot to define such a bean is usually conf/global.xml, as it needs to be in the root Spring context for the servlet to access it. Of course, it's often simpler and more common to do this validation using the web server itself, although that's less flexible.

An example of a PKIX-based TrustEngine declaration follows. Other types of trust engines are possible but in practice PKIX is the only practical way to validate end-entity certificates.

global.xml

<bean id="shibboleth.authn.X509.TrustEngine" parent="shibboleth.StaticPKIXTrustEngine"
	p:certificates="%{idp.home}/credentials/rootca.pem"
	p:checkNames="false"
	p:verifyDepth="1" />

The idp.authn.X509.externalAuthnPath property is the flow redirection path to either a JSP page allowing an explicit prompt for certificate authentication (and other messaging to the user), or directly to the authentication servlet, skipping the UI (which is at /Authn/X509). These are context-relative locations, and you can use any JSP page you choose. It can be modified if needed, but in most cases modifying this to anything but one of those two choices means the External flow is likely a better choice to use.

You can make the location dynamic via a bean of type Function<ProfileRequestContext,String> named shibboleth.authn.X509.externalAuthnPathStrategy

Reference

The beans defined, or expected to be defined, in authn/x509-authn-config.xml follow:

Bean ID / Type	Default	Description

Bean ID / Type	Default	Description
shibboleth.authn.X509.TrustEngine TrustEngine<X509Credential>		Bean ID of a TrustEngine to apply to the certificate; in the absence of this setting, the certificate is accepted with no additional checking
shibboleth.authn.X509.externalAuthnPathStrategy Function<ProfileRequestContext,String>	A constant function returning the bean value above.	A function that returns the redirection expression to use for the protected resource
shibboleth.authn.X509.ClassifiedMessageMap Map<String,Collection<String>>	Remaps NoCredentials and InvalidCredentials into ReselectFlow for fall-through behavior	A map between defined error/warning conditions and events and implementation-specific message fragments to map to them.
shibboleth.authn.X509.resultCachingPredicate Predicate<ProfileRequestContext>		An optional bean that can be defined to control whether to preserve the authentication result in an IdP session

The flow-specific properties usable via authn/authn.properties are:

Name	Default	Description

Name	Default	Description
idp.authn.X509.externalAuthnPath	contextRelative:x509-prompt.jsp	Spring Web Flow redirection expression for the protected resource
idp.authn.X509.saveCertificateToCredentialSet	true	Whether to save the certificate in the Subject’s public credential set

The general properties configuring this flow via authn/authn.properties are:

Name	Default	Description

Name	Default	Description
idp.authn.X509.order	1000	Flow priority relative to other enabled login flows (lower is "higher" in priority)
idp.authn.X509.nonBrowserSupported	false	Whether the flow should handle non-browser request profiles (e.g., ECP)
idp.authn.X509.passiveAuthenticationSupported	false	Whether the flow allows for passive authentication
idp.authn.X509.forcedAuthenticationSupported	false	Whether the flow supports forced authentication
idp.authn.X509.proxyRestrictionsEnforced	%{idp.authn.enforceProxyRestrictions:true}	Whether the flow enforces upstream IdP-imposed restrictions on proxying
idp.authn.X509.proxyScopingEnforced	false	Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying
idp.authn.X509.discoveryRequired	false	Whether to invoke IdP-discovery prior to running flow
idp.authn.X509.lifetime	%{idp.authn.defaultLifetime:PT1H}	Lifetime of results produced by this flow
idp.authn.X509.inactivityTimeout	%{idp.authn.defaultTimeout:PT30M}	Inactivity timeout of results produced by this flow
idp.authn.X509.reuseCondition	shibboleth.Conditions.TRUE	Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO
idp.authn.X509.activationCondition	shibboleth.Conditions.TRUE	Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request
idp.authn.X509.subjectDecorator		Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization
idp.authn.X509.supportedPrincipals	(see below)	Comma-delimited list of protocol-specific Principal strings associated with flow
idp.authn.X509.addDefaultPrincipals	true	Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow

As a non-password based flow, the supportedPrincipals property defaults to the following XML:

<list>
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
    <bean parent="shibboleth.SAML2AuthnContextClassRef"
        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
    <bean parent="shibboleth.SAML1AuthenticationMethod"
        c:method="urn:ietf:rfc:2246" />
</list>

In property form, this is expressed as (note the trailing commas):

To replace the internally defined flow descriptor bean, the following XML is required:

In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V5, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

Notes

Note that this flow is configured by default without support for non-browser profiles (namely ECP) because the X509Internal flow is a better choice when a browser isn't required. It eliminates the extra redirects (and the optional HTML UI) used by this flow.

Note that upgraded systems will have alternate, legacy approaches to configuring this feature, as noted above.