Page tree
Skip to end of metadata
Go to start of metadata

File(s): conf/authn/*, conf/c14n/*

Format: Native Spring, Properties

Overview

The files in conf/authn/ collectively configure authentication both generally and the specific mechanisms that are built-in to the software. You will likely only ever look at a few of them, depending on which login methods you want to use. Authentication is heavily based on Spring Web Flow; selection of the mechanisms to invoke and each individual mechanism are implemented as "subflows" that run inside of the top-level web flows that service requests.

Authentication/login subflows make use of SWF's support for presentation views and state transitions instead of a servlet-based design. However, because of SWF's handling of URLs, there are cases in which use of a subflow exclusively is problematic, and so a defined External method for branching out to a servlet design is also provided. Other methods are built on top of that same approach when necessary.

Complex SP-driven mechanism selection criteria are supported; assuming prior configuration, all of the SAML 2 operators (exact, minimum, maximum, better) for requesting authentication context types can be supported, though exact matching is obviously much cleaner.

While fully decoupled from the authentication layer, session management is obviously a related topic. Most session management configuration is automatic, and the properties that can override the defaults are documented here. It's possible to fully disable the session mechanism and turn off SSO globally with a single property. The default session mechanism is a client-side storage option using encrypted HTML Local Storage or cookies. This mechanism depends on the configuration of a secret key shared by all IdP servers.

Authentication configuration is divided into general and mechanism-specific parts. Separate topics exist for each mechanism included with the software and certain other subtopics.

See the Authentication topic for extensive discussion of the design of this layer, and how to use and extend it (e.g. how to build a custom login flow of your own design).

General Configuration

Each mechanism for authentication is called an authentication flow (or login flow), and each flow has a corresponding bean defined inside the system. These beans are of a specific class, AuthenticationFlowDescriptor, and include a number of settings that influence whether a mechanism can be used for specific requests and control other behavior.

There are significant differences in the OOB approach to configuration for new installs of V4.1 compared to V4.0 or upgraded systems. The tabs below (and elsewhere in the page) provide the relevant information for each version, and where applicable information on taking advantage of new approaches after upgrading.

The authn/general-authn.xml file is where all supported login flows are described to the system. They can be enabled and disabled with a property, so even when defined they can be globally activated or deactivated without editing this file.

The file contains a Spring list bean named shibboleth.AvailableAuthenticationFlows containing a bean for each flow.

The id property of each descriptor is not arbitrary. It MUST be prefixed by "authn/" and it corresponds to a web flow definition. The predefined beans correspond to built-in flows.

Even if a flow is defined to the system, it is not necessarily available for use at runtime. The overall list of enabled flows is controlled using the idp.authn.flows property that expresses the flows to enable. Any flow not enabled will be ignored, except in special cases such as direct use from within the MFA flow.

The parent bean for all flows is defined in a system file and looks like this:

Parent bean for Authentication Flow Descriptors
    <bean id="shibboleth.AuthenticationFlow" abstract="true"
            class="net.shibboleth.idp.authn.AuthenticationFlowDescriptor"
            p:resultSerializer-ref="shibboleth.DefaultAuthenticationResultSerializer"
            p:passiveAuthenticationSupported="false"
            p:forcedAuthenticationSupported="false"
            p:nonBrowserSupported="true"
            p:lifetime="%{idp.authn.defaultLifetime:PT60M}"
            p:inactivityTimeout="%{idp.authn.defaultTimeout:PT30M}"
			p:principalWeightMap="#{getObject('shibboleth.AuthenticationPrincipalWeightMap')}">
        <property name="supportedPrincipals">
            <list>
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
                <bean parent="shibboleth.SAML1AuthenticationMethod"
                    c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
            </list>
        </property>
    </bean>

The comments in general-authn.xml and the system bean above describe some of the defaults, and illustrate how to define a non-password-based mechanism (IPAddress or X509), which requires overriding the supportedPrincipals property to prevent misuse.

This property is used to associate a flow with any number of custom objects that represent, in the specific case of SAML, SAML 1 AuthenticationMethod or SAML 2 <AuthnContextClassRef> or <AuthnContextDeclRef> constants. These are URI constants that represent different kinds of authentication. They can also be used to represent more advanced concepts such as identity proofing and auditing requirements which go beyond just technology choices.

To associate these constants with a flow, beans are used that inherit from one of the following built-in beans:

  • shibboleth.SAML2AuthnContextClassRef
  • shibboleth.SAML2AuthnContextDeclRef
  • shibboleth.SAML1AuthenticationMethod

As a caution, if you add a custom flow or make use of one of the technology-independent flows in a way that is not password-based, don't forget to override the supportedPrincipals property, or you will create problems for any SPs that are attempting to request stronger authentication methods. It's very easy to accidentally "lie" to the world by misconfiguring the IdP, because the software can't read your mind to understand your intentions, and it only knows what you tell it. A complete explanation of how the selection process works is here.

Note that if you associate more than one such constant/bean with a flow, the IdP will ordinarily pick one at random to use as a SAML "result" when it builds an assertion, assuming the SP didn't request a specific one. If you need to guarantee that a particular one will be used as a default, you can assign "weights" to them in a map bean that's defined in the general-authn.xml file named shibboleth.AuthenticationPrincipalWeightMap.

V4.1 introduces Modules, and the individual login flows have been converted into modules that can be enabled and disabled. This approach is addressed within the pages that document all the flows.

The primary means of configuring authentication, and particular login flows, is via the file authn/authn.properties. Most of the settings in this file are commented out and defaulted, so setting the ones you need generally involves uncommenting them.

Even though a login flow exists, it is not necessarily available for use at runtime. The overall list of enabled flows is controlled using the idp.authn.flows property that expresses the flows to enable as a regular expression (usually of the form "Method1|Method2|Method3"). Any flow not enabled will be ignored, except in the case of direct use from within the MFA flow.

Every login flow known to the system auto-registers itself with defaults that can be overridden by setting corresponding properties, generally with the naming convention "idp.authn.Method.setting".

For reference or for those whose understanding may be aided by seeing the actual wiring, you can see the XML that allows all the properties to slot in here, but it's not essential to using the properties or understanding what they do.

Generally the settings that are supported by properties have simple syntaxes that lend themselves to property use, or will identify the name of a bean that provides more complex behavior. A notable exception to this simple syntax are the "supportedPrincipals" properties, which are used to attach SAML (or in theory other) representations of authentication "types" to the login flows so that the system is able to abstractly recognize when a particular login flow can be used to satisfy a particular request (e.g., how to tell that a request for certificate-based authentication should not attempt to use the Password flow).

To avoid the need for Java beans, a string-based parsing trick is used to consume this property in the form of a comma-delimited list of strings, typically expressed as a multi-line property for readability. The syntax for this should be apparent from the commented examples, but each value is a prefix (typically "saml2" or "saml1") and a principal value separated by a slash. This will attach the corresponding AuthnContextClassRefPrincipal or AuthenticationMethodPrincipal beans in the configuration.

As a caution, if you add a custom flow or make use of one of the technology-independent flows in a way that is not password-based, don't forget to override the corresponding supportedPrincipals property, or you will create problems for any SPs that are attempting to request stronger authentication methods. It's very easy to accidentally "lie" to the world by misconfiguring the IdP, because the software can't read your mind to understand your intentions, and it only knows what you tell it. A complete explanation of how the selection process works is here.

Note that if you associate more than one supportedPrincipal value with a flow, the IdP will ordinarily pick one at random to use as a SAML "result" when it builds an assertion, assuming the SP didn't request a specific one. If you need to guarantee that a particular one will be used as a default, you can assign "weights" to them in a map bean that's defined in the authn-comparison.xml file named shibboleth.AuthenticationPrincipalWeightMap

Finally, note that in the rare case that multiple flows are enabled without making use of the MFA flow to control order, the various properties with the "order" suffix can be used to attach a non-default order value to particular flows, with lower values sorted before higher. You usually won't need to bother with this.

Upgrading from V4.0 and Earlier

The information above focuses on the "as-delivered" V4.1 defaults, which are considerably changed from earlier versions, and apply out of the box only to new installs. Upgraded systems, while they may contain combinations of old and new files, by design function the same as they used to for compatibility, and the new bits are generally ignored/overridden by the older settings.

With V4.1, the use of XML to configure many basic features has been minimized and replaced by simpler properties, with a new file (authn/authn.properties) added. Most of the properties in this file are commented out and largely ignored because they are superseded by the beans in the original authn/general-authn.xml file, which has been removed from new installations (but is still processed when present).

A handful of authentication-related properties that were in idp.properties in older releases have been moved to the new authn.properties file in this version for better locality of reference, but they are commented and authn.properties is not automatically processed by upgraded configurations, preventing any conflicts.

With this release, all beans of type AuthenticationFlowDescriptor are automatically recognized, obviating the need to define them by hand, which was the main purpose of the XML file. Instead, all of the built-in login flows are wired up internally with properties used to control settings rather than XML. For compatibility and for those who favor XML, any flow descriptor bean with a particular ID will supersede the internally wired bean for that flow (and the log notes this at startup).

For those wishing to migrate from the older approach to the newer approach (this is not required), removing authn/general-authn.xml, setting idp.searchForProperties to "true" in idp.properties, and setting any properties corresponding to non-default settings applied in the XML will provide equivalent behavior (and hopefully be easier to understand).

Another generally minor function of the XML file was to establish the order by which the IdP would attempt to use any methods applicable to a request. If this matters, a property for each method with the "order" suffix (e.g., idp.authn.Password.order) can be set to a value other than the default to sort methods relative to each other. Lower values are tried first.

As a minor note, the bean named shibboleth.AuthenticationPrincipalWeightMap was moved from general-authn.xml (which was removed) to authn-comparison.xml (which remains). It doesn't matter which file it's in (and any given system when appropriate install/upgrade procedures are followed will only contain one copy of it).

In addition to the properties that essentially supplant the general-authn.xml file, there are other properties (again mostly commented) that replace many of the simple settings from the myriad XML files that used to be required to configure the individual login flows. While they are covered in more detail in those topics, as a general matter the intent is to minimize the need for some of those files, and the aforementioned Module change removes most of them from the default install. The properties only apply when the original XML-defined beans they replace are absent.

Login Flows

Login flows provided with the software are listed below with links to their associated documentation:

Post-Login Canonicalization

This particular use of subject canonicalization (or c14n) is referred to as post-login c14n and the input is an instance of a Java Subject, which is a fairly open-ended object that can contain any number of custom Principal objects and collections of public and/or private credentials. The IdP generally doesn't make much use of the credential collections, but does populate the Principal collection and uses that heavily.

With most login flows, the Subject is typically fairly simple and often contains a UsernamePrincipal that carries a username set by the login flow, often directly or based on something entered by a user. In the simple case, the "right" canonical value may just be that name, and nothing needs to be configured, it will simply happen automatically. In less common cases, you may need to configure a more advanced c14n subflow to do your bidding, or create one of your own design.

The post-login c14n flows provided with the software are listed below:

The first two are enabled by default, while the third requires additional configuration to operate sensibly and the fourth is for specialized use when proxying authentication to a different SAML IdP.

Advanced Topics

Proxying

The IdP includes support for login methods that rely on another IdP to actually authenticate the subject, with the results used to produce the eventual responses to the proxying IdP's own services. This is a common feature of most other SAML software but is newer to Shibboleth.

There are a number of different low-level features included to better support this use case as well as to ensure that the default behavior aligns to the SAML 2.0 standard, which includes a number of precise rules for proxying and for limiting and even preventing proxying behavior.

You will find that virtually no software beyond Shibboleth supports these proxying controls and that they will be in violation of the standard with regard to how they work if you make use of them. This is familiar territory to Shibboleth deployers.

As a rule, the IdP doesn't explicitly assume that a given login flow is or isn't a form of proxy authentication. It defaults to certain assumptions but relies on the deployer to tell it when proxying is involved by adjusting properties (in V4.1 via authn/authn.properties), or by editing XML (in V4.0 on the beans defined in authn//general-authn.xml).

The topic of Proxying goes a fair bit beyond authentication considerations, but some of the considerations are summarized here. The rest are mostly in the areas of SubjectCanonicalizationConfiguration, AttributeResolverConfiguration, and AttributeFilterConfiguration.

IdP Discovery

When proxying, the IdP now supports calling out to a standardized discovery service.

This can be enabled for login flows designed to allow for proxying by enabling the discoveryRequired property on the login flow descriptor bean and configuring the location of the discovery service via conf/authn/discovery-config.xml

If your system was upgraded and continues to rely on the legacy conf/authn/general-authn.xml file, refer to the V4.0 tab instead.

This can be enabled for login flows designed to allow for proxying by enabling the corresponding flow-specific "discoveryRequired" property in conf/authn/authn.properties and setting the idp.authn.discoveryURL property to the location of the discovery service.

A successful discovery result will make the value returned available via AuthenticationContext.getAuthenticatingAuthority() and will be automatically used by login flows designed to take advantage of it.

Scoping

Another point of policy is honoring the <saml2:Scoping> element if included by an SP in its request. This allows an SP to disallow proxying, or control the length of the proxy chain. The IdP doesn't normally enforce this for most login flows because it assumes that it isn't proxying. Out of the box, only the new SAML login flow is designated to enforce this control, but the proxyScopingEnforced property can be enabled for a login flow when applicable. Of course, this also means you can bypass the control when really proxying by turning it off. Doing so is a standards violation and a generally slimy thing to do.

Forced Authentication

Another assumption the system makes is that a request asking for forced authentication (the ForceAuthn flag in SAML or similar features in other protocols) should be relayed to a proxied IdP. This is the default, but can be overridden on a per-IdP basis via Profile Configuration by explicitly turning off the setting.

Authentication Type Mapping

Finally, a potentially complex issue arises when it comes to passing SAML <AuthnContextClassRef> values and comparable constructs in other protocols back and forth across the proxy boundary. In many cases, the values used on the inside and outside are different. The IdP provides pluggable hooks for this, but defaults to allowing the use of pre-defined map beans to express the relationships in both directions. The beans are defined in conf/authn/authn-comparison.xml (if you upgraded, compare your copy to the distributed version to see the new settings):

  • shibboleth.PrincipalProxyRequestMappings
    • These are rules for turning the values that apply to, or are contained in, SP requests into new values to express in a request issued to a proxied IdP.
  • shibboleth.PrincipalProxyResponseMappings
    • These are rules for turning the values that appear in proxied IdP responses into new values to capture in the resulting subject's authentication record and subsequently potentially used in responses to SPs.

In both cases:

  • Omitting an explicit mapping rule will result in the value being copied unmodified.
  • A key with an empty list as a value will be suppressed and not included at all.
  • Explicit mappings will turn an instance of the key into one or more values.

This is hopefully sufficient for most basic proxying scenarios, and is adapatable to all supported protocols now and in the future.

Note that this does not currently extend to the practice of expressing this information using SAML Attributes. This overlaps with the function of the <AuthnContext> element and does not have any supporting guidance in the standard that would indicate it's an appropriate thing to do, as Attributes are about the Subject of an Assertion, not about the act of authentication that led to one.

Custom Events

More typically in the Password or MFA flows, but also generally, it's possible for login flows to return custom Spring Web Flow events in addition to the events that are hardwired into the system. This typically arises as a result of mapping a specific error message to an event by means of a "classified message" map, or in advanced cases might be triggered by a button or other user input on a login form to cause some other login method to execute.

To support this, it's not sufficient to just signal or map a message to the event; you must also define the event to the system by editing conf/authn/authn-events-flow.xml. There are two steps needed: adding an <end-state> for the event and adding a <transition> rule to authorize the event as a signal to cause the flow to terminate with that state. The file includes commented examples, and a sample is shown below that authorizes "MyCustomEvent" to be surfaced:

Authorizing custom login flow events in conf/authn/authn-events-flow.xml
    <end-state id="MyCustomEvent" />

    <global-transitions>
        <transition on="MyCustomEvent" to="MyCustomEvent" />
        <transition on="#{!'proceed'.equals(currentEvent.id)}" to="InvalidEvent" />
    </global-transitions>

In many cases, you also want this custom event to result in a custom error message/page at the IdP rather than a response to the SP. This isn't the default for most events, but you can modify the shibboleth.LocalEventMap bean in conf/errors.xml to change the behavior, and add custom error messages for the standard error view to messages/messages.properties. See ErrorHandlingConfiguration for details.

Reference

Because there are a variety of different login methods, most of the actual configuration is documented in the relevant topics covering those methods, but there are a few general properties used, and a larger set of properties that control the management of sessions, which are of course related to authentication.

Worthy of note, you can switch to server-side storage of user sessions by setting the idp.session.StorageService property to shibboleth.StorageService, or an alternative defined by you.

The most important property to note, and the only one that MUST be set is the idp.authn.flows property. This is a regular expression that identifies the flows defined in general-authn.xml to enable. The expression applies only to the suffix of each flow ID (omitting the authn/ prefix), and the simplest way to express this is with a pipe (|) separated list of the flow names, e.g., flow1|flow2|flow3

Property / Type

Default

Function

idp.session.enabled

Boolean

true

Whether to enable the IdP's session tracking feature

idp.session.StorageService

Bean ID of StorageService

shibboleth.ClientSessionStorageService

Bean name of a storage implementation/configuration to use for IdP sessions

idp.session.idSize

Integer

32Number of characters in IdP session identifiers

idp.session.consistentAddress

Boolean

trueWhether to bind IdP sessions to IP addresses

idp.session.consistentAddressCondition

BiPredicate<String,String>

Direct string comparisonA 2-argument predicate that compares a bound session's address to a client address

idp.session.timeout

Duration

PT60MInactivity timeout policy for IdP sessions (must be non-zero)

idp.session.slop

Duration

0Extra time after expiration before removing SP sessions in case a logout is invoked

idp.session.maskStorageFailure

Boolean

falseWhether to hide storage failures from users during session cache reads/writes

idp.session.trackSPSessions

Boolean

falseWhether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage)

idp.session.secondaryServiceIndex

Boolean

falseWhether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)

idp.session.defaultSPlifetime

Duration

PT2HDefault length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting

idp.authn.flows

Regular Expression


Expression that identifies the login flows to globally enable

idp.authn.defaultLifetime

Duration

PT60MDefault amount of time to allow reuse prior authentication flows, measured since first usage

idp.authn.defaultTimeout

Duration

PT30MDefault inactivity timeout to prevent reuse of prior authentication flows, measured since last usage

idp.authn.favorSSO

Boolean

false

Whether to prioritize prior authentication results when an SP requests more than one possible matching method

idp.authn.rpui

Boolean

trueWhether to populate information about the relying party into the tree for user interfaces during login and interceptors

idp.authn.identitySwitchIsError

Boolean

false

Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session.

The properties prefixed by "idp.authn." have been moved by default to the new conf/authn/authn.properties file (together with a large set of additional method-specific ones documented elsewhere). Upgraded systems should take care to either ignore that new file, or explicitly bring it into use by moving any non-defaulted settings from idp.properties into it. The ReleaseNotes describe how to automatically load this, and any other, new property files.

Because there are a variety of different login methods, most of the actual configuration is documented in the relevant topics covering those methods, but there are a few general properties used, and a larger set of properties that control the management of sessions, which are of course related to authentication.

Worthy of note, you can switch to server-side storage of user sessions by setting the idp.session.StorageService property to shibboleth.StorageService, or an alternative defined by you.

The most important property to note is the idp.authn.flows property. This is a regular expression that identifies the login flows to enable. The expression applies only to the suffix of each flow ID (omitting the authn/ prefix), and the simplest way to express this is with a pipe (|) separated list of the flow names, e.g., flow1|flow2|flow3

Note that as of V4.1, this property defaults to "Password" simply to ensure the system can minimally operate out of the box and because that's the most common method.

Property / Type

Default

Function

idp.session.enabled

Boolean

true

Whether to enable the IdP's session tracking feature

idp.session.StorageService

Bean ID of StorageService

shibboleth.ClientSessionStorageService

Bean name of a storage implementation/configuration to use for IdP sessions

idp.session.idSize

Integer

32Number of characters in IdP session identifiers

idp.session.consistentAddress

Boolean

trueWhether to bind IdP sessions to IP addresses

idp.session.consistentAddressCondition

BiPredicate<String,String>

Direct string comparisonA 2-argument predicate that compares a bound session's address to a client address

idp.session.timeout

Duration

PT60MInactivity timeout policy for IdP sessions (must be non-zero)

idp.session.slop

Duration

0Extra time after expiration before removing SP sessions in case a logout is invoked

idp.session.maskStorageFailure

Boolean

falseWhether to hide storage failures from users during session cache reads/writes

idp.session.trackSPSessions

Boolean

falseWhether to save a record of every SP accessed during an IdP session (requires a server-side session store or HTML LocalStorage)

idp.session.secondaryServiceIndex

Boolean

falseWhether to track SPs on the basis of the SAML subject ID used, for logout purposes (requires SP session tracking be on)

idp.session.defaultSPlifetime

Duration

PT2HDefault length of time to maintain record of an SP session (must be non-zero), overridable by relying-party-specific setting

idp.authn.flows

Regular Expression

V4.0:, no internal default

V4.1+: "Password"

Regular expression that identifies the login flows to globally enable

idp.authn.defaultLifetime

Duration

PT60MDefault amount of time to allow reuse prior authentication flows, measured since first usage

idp.authn.defaultTimeout

Duration

PT30MDefault inactivity timeout to prevent reuse of prior authentication flows, measured since last usage

idp.authn.proxyRestrictionsEnforced 4.1

Boolean

trueWhether to enforce restrictions placed on further proxying of assertions from upstream IdPs when relying on proxied authentication

idp.authn.favorSSO

Boolean

false

Whether to prioritize prior authentication results when an SP requests more than one possible matching method

idp.authn.rpui

Boolean

trueWhether to populate information about the relying party into the tree for user interfaces during login and interceptors

idp.authn.identitySwitchIsError

Boolean

false

Whether to fail requests if a user identity after authentication doesn't match the identity in a pre-existing session

idp.authn.discoveryURL 4.1

String


Provides a static discovery URL to use for external discovery; this property replaces the need for the XML-defined bean used in V4.0 for this purpose

Beans related for general authentication configuration follow:

Bean ID

Type

Function

shibboleth.AvailableAuthenticationFlowsList<AuthenticationFlowDescriptor>List of descriptors enumerating the supported authentication flows that can be used
shibboleth.AuthenticationPrincipalWeightMapMap<Principal,Integer>Map of weights to assign to particular custom Principal objects so that flows can pick an appropriate default Principal to associate with their result (see comment in file for more detail)
shibboleth.AuthenticationFlowAuthenticationFlowDescriptorParent bean for defining new flow descriptors, generally only needed by extension developers
shibboleth.SAML2AuthnContextClassRefAuthnContextClassRefPrincipalParent bean for attaching SAML 2.0 AuthnContextClassRef constants to flows
shibboleth.SAML2AuthnContextDeclRefAuthnContextDeclRefPrincipalParent bean for attaching SAML 2.0 AuthnContextDeclRef constants to flows
shibboleth.SAML1AuthenticationMethodAuthenticationMethodPrincipalParent bean for attaching SAML 1.1 AuthenticationMethod constants to flows
shibboleth.DefaultPrincipalSerializers

List<PrincipalSerializer>

Default list of principal serializer plugins needed to support storage of authentication results
shibboleth.DefaultPrincipalSymbolicsMap<String,Integer>Default mappings that shrink authentication result data by storing commonly seen strings as numbers
shibboleth.PrincipalSerializers

List<PrincipalSerializer>

User-supplied list of values to merge into shibboleth.DefaultPrincipalSerializers bean
shibboleth.PrincipalSymbolicsMap<String,Integer>User-supplied list of values to merge into shibboleth.DefaultPrincipalSymbolics bean

shibboleth.FixedAuthenticationEventStrategy

Function<ProfileRequestContext,String>

Function for producing a Spring WebFlow Event to signal from login flow validation actions to artifically test error or warning customizations.

The following beans are used to configure IdP Discovery when proxying.

Bean IDTypeFunction
shibboleth.authn.discoveryURLString

An explicit Discovery Service URL
(supplanted in V4.1 by the idp.authn.discoveryURL property)

shibboleth.authn.discoveryURLStrategyFunction<ProfileRequestContext,String>A function to apply to produce the Discovery Service URL
The following beans are used to configure comparison rules for custom Principals to support rules for login flow selection when requests specify particular methods, as described in AuthenticationFlowSelection.
Bean IDTypeFunction
shibboleth.AuthnComparisonRulesMap used as constructor argument to PrincipalEvalPredicateFactoryRegistryMap of comparison rules

shibboleth.SAMLAuthnMethodExact
shibboleth.SAMLACClassRefExact
shibboleth.SAMLACDeclRefExact

shibboleth.SAMLACClassRefMinimum
shibboleth.SAMLACDeclRefMinimum
shibboleth.SAMLACClassRefMaximum

shibboleth.SAMLACDeclRefMaximum
shibboleth.SAMLACClassRefBetter
shibboleth.SAMLACDeclRefBetter

Pair<Class<? extends Principal>, String>Pairs of custom Principal types and matching operators for all the SAML 1.1 and 2.0 principal and comparison types supported, used as keys for the shibboleth.AuthnComparisonRules map
shibboleth.ExactMatchFactory
shibboleth.InexactMatchFactory
PrincipalEvalPredicateFactoryTemplate beans for values of the shibboleth.AuthnComparisonRules map

shibboleth.BetterClassRefMatchFactory
shibboleth.MinimumClassRefMatchFactory
shibboleth.MaximumClassRefMatchFactory

shibboleth.BetterDeclRefMatchFactory
shibboleth.MinimumDeclRefMatchFactory
shibboleth.MaximumDeclRefMatchFactory

PrincipalEvalPredicateFactoryBeans supplying matching rules for implementing SAML 2.0 "inexact" comparisons of AuthnContextClassRef or AuthnContextDeclRef constants
shibboleth.IgnoredContexts
Collection<String>A collection of SAML 2.0 AuthnContextClassRef or AuthnContextDeclRef values to ignore if found in an <AuthnRequest> message
shibboleth.PrincipalProxyRequestMappingsMap<Principal,Collection<Principal>>Mapping rules for transforming values in requests into new values in proxied requests
shibboleth.PrincipalProxyResponseMappingsMap<Principal,Collection<Principal>>Mapping rules for transforming values in proxied responses into new values

V3 Compatibility

Authentication is substantially compatible with V3 except for the removal of some advanced, deprecated features that are replaced by the MFA login flow.

The Password login flow has been enhanced with more flexibility but is designed to be backward-compatible with the simpler options from V3 and in most cases should not require configuration changes, with the possible exception of the LDAP back-end if you have made significant customizations to the ldap-authn-config.xml file.

V4.1 adds a large number of changes that, while backward-compatible, provide alternative property-based ways to configure many standard features without the need for as many XML files. The general section includes material on how to migrate to this approach.

  • No labels