Options common to profiles that perform authentication:
|postAuthenticationFlows||List<String>||Ordered list of profile interceptor flows to run after successful authentication|
|defaultAuthenticationMethods||List<Principal>||Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt, in the event that a relying party does not signal a preference. See AuthenticationFlowSelection.|
|nameIDFormatPrecedence||List<String>||Ordered list of NameID Format(s) to select for use, in the event that a relying party does not signal a preference. This is nominally SAML-specific but may be adapted for use with other supported protocols as circumstances warrant.|
|forceAuthn 3.4||Boolean||false||Disallows use (or reuse) of authentication results and login flows that don't provide a real-time proof of user presence in the login process|
postAuthenticationFlows property is used to apply special processing to requests, such as attribute release consent, password expiration warnings, authorization checks, or other custom processing.
With the increased use of multi-factor authentication, it is more common to find RPs that can specify authentication requirements, but there are still many cases, particular with commercial services, in which it becomes necessary to force the use of specific login methods. This can be achieved using the
defaultAuthenticationMethods property by specifying one or more corresponding Principals to trigger the use of stronger methods.
Note that you must also prevent a malicious actor from overriding this preference for a SAML 2.0 SP by manufacturing a request, via one of two means:
- For a SAML 2.0 SP that can sign its requests, its metadata can be modified with the
AuthnRequestsSignedflag to indicate that its requests must be signed.
- Alternatively, the
disallowedFeaturesproperty may be set with the SAML2.SSO.FEATURE_AUTHNCONTEXT bean to block use of the SAML 2.0
At present, no other authentication profiles support a feature capable of requesting the authentication method.
nameIDFormatPrecedence property is a common way of controlling the type of SAML NameIdentifier / NameID included in a response, a common requirement of many commercial services. It is in fact the only way to force the use of the ill-advised "
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" Format, which it must be noted is very rarely needed, despite frequent mis-documentation to the contrary.
In most cases, it is better to control the Format selected by including a
<NameIDFormat> element in the SP's metadata. In the event that you don't control the metadata, you can inject the required element by applying a metadata filter.