Page tree

The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

This feature depends on V3.4.0 of the IdP software.

Current File(s): conf/authn/function-authn-config.xml

Format: Native Spring


The authn/Function login flow is an extension point that allows authentication to be handled by a deployer-supplied Function object, which can be written in Java, a scripting language, etc. It simplifies authoring certain kinds of custom login flows (essentially it provides the "flow" part) and potentially simpifies some MultiFactorAuthnConfiguration scenarios by moving some of the logic into a separate component.

General Configuration

Use authn/function-authn-config.xml to configure this flow. Only a couple of beans are defined, chiefly the core of the flow, a required bean named shibboleth.authn.Function.ResultLookupStrategy, of type Function<ProfileRequestContext,Object>

If the function returns a null, then authentication fails (this is how to signal a controlled failure). Otherwise, the function can return a String (the username), a Principal, or a Subject, and the system will construct an appropriate AuthenticationResult around whatever is returned.



Bean IDTypeDefaultFunction
A function to produce the authentication result (see above)


An optional bean that can be defined to control whether to preserve the authentication result in an IdP session
BooleantrueWhether to add the content of the supportedPrincipals property of the underlying flow descriptor to the resulting Subject



  • No labels