shib-storedid2computedid-ex.../conf/authn/password-authn-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
                           
       default-init-method="initialize"
       default-destroy-method="destroy">
    
    <!--
    Ordered list of CredentialValidators to apply to a request.
    
    The four supplied variants are shown below; the HTPasswd option
    is an OOB default for demo account purposes, and you will
    want to remove it after initial install and testing.
    -->
    <util:list id="shibboleth.authn.Password.Validators">
        <ref bean="shibboleth.LDAPValidator" />
        <!-- <ref bean="shibboleth.KerberosValidator" /> -->
        <!-- <ref bean="shibboleth.JAASValidator" /> -->
        <!-- <bean parent="shibboleth.HTPasswdValidator" p:resource="%{idp.home}/credentials/demo.htpasswd" /> -->
    </util:list>

    <!-- Apply any regular expression replacement pairs to username before validation. -->
    <util:list id="shibboleth.authn.Password.Transforms">
        <!--
        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />
        -->
    </util:list>
    
    <!-- Uncomment to configure account lockout backed by in-memory storage. -->
    <!--
    <bean id="shibboleth.authn.Password.AccountLockoutManager"
        parent="shibboleth.StorageBackedAccountLockoutManager"
        p:maxAttempts="5"
        p:counterInterval="PT5M"
        p:lockoutDuration="PT5M"
        p:extendLockoutDuration="false" />
    -->
      
    <!--
    Define entries here to map error messages detected by validation actions and classify them as particular
    kinds of errors for use in your templates and as events in flows.

    Keys are events to signal, values are error codes.
    -->
    <util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
        <entry key="UnknownUsername">
            <list>
                <value>NoCredentials</value>
                <value>UnknownUsername</value>
                <value>CLIENT_NOT_FOUND</value>
                <value>Client not found</value>
                <value>Cannot get kdc for realm</value>
                <value>Client not found in Kerberos database</value>
                <value>DN_RESOLUTION_FAILURE</value>
                <value>Cannot authenticate dn, invalid dn</value>
                <value>Cannot authenticate dn, invalid credential</value>
                <value>AcceptSecurityContext error, data 525</value>
            </list>
        </entry>
        <entry key="InvalidPassword">
            <list>
                <value>InvalidCredentials</value>
                <value>PREAUTH_FAILED</value>
                <value>INVALID_CREDENTIALS</value>
                <value>Checksum failed</value>
                <value>Integrity check on decrypted field failed</value>
                <value>Pre-authentication information was invalid</value>
                <value>Key bytes cannot be null</value>
                <value>AcceptSecurityContext error, data 52e</value>
            </list>
        </entry>
        <entry key="AccountLocked">
            <list>
                <value>AccountLocked</value>
                <value>Clients credentials have been revoked</value>
                <value>AcceptSecurityContext error, data 775</value>
            </list>
        </entry>
        <entry key="AccountDisabled">
            <list>
                <value>AcceptSecurityContext error, data 533</value>
            </list>
        </entry>
        <entry key="ExpiredPassword">
            <list>
                <value>PASSWORD_EXPIRED</value>
                <value>CLIENT KEY EXPIRED</value>
                <value>AcceptSecurityContext error, data 532</value>
                <value>AcceptSecurityContext error, data 773</value>
                <value>AcceptSecurityContext error, data 701</value>
            </list>
        </entry>
        <entry key="ExpiringPassword">
            <list>
                <value>ACCOUNT_WARNING</value>
            </list>
        </entry>
        <entry key="RequestUnsupported">
            <list>
                <value>RequestUnsupported</value>
            </list>
        </entry>
    </util:map>

</beans>
import 2022-08-05 13:33:15 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<beans xmlns="http://www.springframework.org/schema/beans"`
			`xmlns:context="http://www.springframework.org/schema/context"`
			`xmlns:util="http://www.springframework.org/schema/util"`
			`xmlns:p="http://www.springframework.org/schema/p"`
			`xmlns:c="http://www.springframework.org/schema/c"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd`
			`http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd`
			`http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"`

			`default-init-method="initialize"`
			`default-destroy-method="destroy">`

			`<!--`
			`Ordered list of CredentialValidators to apply to a request.`

			`The four supplied variants are shown below; the HTPasswd option`
			`is an OOB default for demo account purposes, and you will`
			`want to remove it after initial install and testing.`
			`-->`
			`<util:list id="shibboleth.authn.Password.Validators">`
			`<ref bean="shibboleth.LDAPValidator" />`
			`<!-- <ref bean="shibboleth.KerberosValidator" /> -->`
			`<!-- <ref bean="shibboleth.JAASValidator" /> -->`
			`<!-- <bean parent="shibboleth.HTPasswdValidator" p:resource="%{idp.home}/credentials/demo.htpasswd" /> -->`
			`</util:list>`

			`<!-- Apply any regular expression replacement pairs to username before validation. -->`
			`<util:list id="shibboleth.authn.Password.Transforms">`
			`<!--`
			`<bean parent="shibboleth.Pair" p:first="^(.+)@example\.org$" p:second="$1" />`
			`-->`
			`</util:list>`

			`<!-- Uncomment to configure account lockout backed by in-memory storage. -->`
			`<!--`
			`<bean id="shibboleth.authn.Password.AccountLockoutManager"`
			`parent="shibboleth.StorageBackedAccountLockoutManager"`
			`p:maxAttempts="5"`
			`p:counterInterval="PT5M"`
			`p:lockoutDuration="PT5M"`
			`p:extendLockoutDuration="false" />`
			`-->`

			`<!--`
			`Define entries here to map error messages detected by validation actions and classify them as particular`
			`kinds of errors for use in your templates and as events in flows.`

			`Keys are events to signal, values are error codes.`
			`-->`
			`<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">`
			`<entry key="UnknownUsername">`
			`<list>`
			`<value>NoCredentials</value>`
			`<value>UnknownUsername</value>`
			`<value>CLIENT_NOT_FOUND</value>`
			`<value>Client not found</value>`
			`<value>Cannot get kdc for realm</value>`
			`<value>Client not found in Kerberos database</value>`
			`<value>DN_RESOLUTION_FAILURE</value>`
			`<value>Cannot authenticate dn, invalid dn</value>`
			`<value>Cannot authenticate dn, invalid credential</value>`
			`<value>AcceptSecurityContext error, data 525</value>`
			`</list>`
			`</entry>`
			`<entry key="InvalidPassword">`
			`<list>`
			`<value>InvalidCredentials</value>`
			`<value>PREAUTH_FAILED</value>`
			`<value>INVALID_CREDENTIALS</value>`
			`<value>Checksum failed</value>`
			`<value>Integrity check on decrypted field failed</value>`
			`<value>Pre-authentication information was invalid</value>`
			`<value>Key bytes cannot be null</value>`
			`<value>AcceptSecurityContext error, data 52e</value>`
			`</list>`
			`</entry>`
			`<entry key="AccountLocked">`
			`<list>`
			`<value>AccountLocked</value>`
			`<value>Clients credentials have been revoked</value>`
			`<value>AcceptSecurityContext error, data 775</value>`
			`</list>`
			`</entry>`
			`<entry key="AccountDisabled">`
			`<list>`
			`<value>AcceptSecurityContext error, data 533</value>`
			`</list>`
			`</entry>`
			`<entry key="ExpiredPassword">`
			`<list>`
			`<value>PASSWORD_EXPIRED</value>`
			`<value>CLIENT KEY EXPIRED</value>`
			`<value>AcceptSecurityContext error, data 532</value>`
			`<value>AcceptSecurityContext error, data 773</value>`
			`<value>AcceptSecurityContext error, data 701</value>`
			`</list>`
			`</entry>`
			`<entry key="ExpiringPassword">`
			`<list>`
			`<value>ACCOUNT_WARNING</value>`
			`</list>`
			`</entry>`
			`<entry key="RequestUnsupported">`
			`<list>`
			`<value>RequestUnsupported</value>`
			`</list>`
			`</entry>`
			`</util:map>`

			`</beans>`