conf/authn/authn.properties

# Properties that control authentication generally and the behavior of
# specific methods.

# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows = RemoteUser

# Default settings for most authentication methods.
#idp.authn.defaultLifetime = PT1H
#idp.authn.defaultTimeout = PT30M
#idp.authn.proxyRestrictionsEnforced = true

# Whether to populate relying party user interface information for display
# during authentication, consent, terms-of-use.
#idp.authn.rpui = true

# Whether to prioritize "active" results when an SP requests more than
# one possible matching login method (V2 behavior was to favor them)
#idp.authn.favorSSO = false

# Whether to fail requests when a user identity after authentication
# doesn't match the identity in a pre-existing session.
#idp.authn.identitySwitchIsError = false

# If using IdP discovery feature, provides a discovery location to use.
#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html

# Properties below override specific method behavior, as an alternative
# to defining Spring beans in XML. Refer to the documentation for a complete
# list. Many of the properties below are mentioned only because they are
# atypical defaults assumed for a given method.

# Flow selection among multiple equivalent options can be managed with
# the order properties, lower will be tried first.

#### Password ####

#idp.authn.Password.order = 1000
#idp.authn.Password.passiveAuthenticationSupported = true
#idp.authn.Password.forcedAuthenticationSupported = true
# Override this and removeAfterValidation to require all validators to succeed
#idp.authn.Password.requireAll = false
# Override to keep the password around
#idp.authn.Password.removeAfterValidation = true
# Override to store password in Java Subject
#idp.authn.Password.retainAsPrivateCredential = false
# Simple username transforms before validation
#idp.authn.Password.trim = true
#idp.authn.Password.lowercase = false
#idp.authn.Password.uppercase = false
#idp.authn.Password.matchExpression = 
# Override default form field names
#idp.authn.Password.usernameFieldName = j_username
#idp.authn.Password.passwordFieldName = j_password
#idp.authn.Password.ssoBypassFieldName = donotcache
# Unset if using customized Principals per validator
#idp.authn.Password.addDefaultPrincipals = true
# The Principal collection below is the typical default if not otherwise noted.
#idp.authn.Password.supportedPrincipals = \
#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
#    saml1/urn:oasis:names:tc:SAML:1.0:am:password
# Validators are controlled in password-authn-config.xml

#### Password Backends ####

# See ldap.properties for LDAP authn properties
# Kerberos settings
#idp.authn.Krb5.refreshConfig = false
#idp.authn.Krb5.preserveTicket = false
# Set next two for KDC verification
#idp.authn.Krb5.servicePrincipal = 
#idp.authn.Krb5.keytab = 
# JAAS settings
#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth
#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config

#### External ####

#idp.authn.External.order = 1000
#idp.authn.External.nonBrowserSupported = false
#idp.authn.External.matchExpression = 
# Unset if you plan to return full Java Subject from external source
#idp.authn.External.addDefaultPrincipals = true
# Servlet context-relative path to wherever your implementation lives
idp.authn.External.externalAuthnPath = contextRelative:external.jsp

#### RemoteUser ####

#idp.authn.RemoteUser.order = 1000
#idp.authn.RemoteUser.nonBrowserSupported = false
#idp.authn.RemoteUser.matchExpression = 
# Unset in most cases only if using the authnMethodHeader or
# subjectAttribute settings
#idp.authn.RemoteUser.addDefaultPrincipals = true
# Most other settings need to be supplied via web.xml to the servlet

#### RemoteUserInternal ####

#idp.authn.RemoteUserInternal.order = 1000
#idp.authn.RemoteUserInternal.nonBrowserSupported = true
# Unset in most cases only if using the authnMethodHeader feature
#idp.authn.RemoteUserInternal.addDefaultPrincipals = true
#idp.authn.RemoteUserInternal.checkRemoteUser = true
# Comma-delimited lists of attributes or headers to pull from
#idp.authn.RemoteUserInternal.checkAttributes = 
#idp.authn.RemoteUserInternal.checkHeaders = 
# Simple transforms to apply
#idp.authn.RemoteUserInternal.trim = true
#idp.authn.RemoteUserInternal.lowercase = false
#idp.authn.RemoteUserInternal.uppercase = false
#idp.authn.RemoteUserInternal.matchExpression = 
#idp.authn.RemoteUserInternal.allowedUsernames = 
#idp.authn.RemoteUserInternal.deniedUsernames = 

#### SPNEGO ####

#idp.authn.SPNEGO.order = 1000
#idp.authn.SPNEGO.nonBrowserSupported = false
#idp.authn.SPNEGO.enforceRun = false
#idp.authn.SPNEGO.refreshKrbConfig = false
#idp.authn.SPNEGO.matchExpression = 
idp.authn.SPNEGO.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
    saml1/urn:ietf:rfc:1510

#### X509 ####

#idp.authn.X509.order = 1000
#idp.authn.X509.nonBrowserSupported = false
# Servlet context-relative path to wherever your implementation lives
#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
idp.authn.X509.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
    saml1/urn:ietf:rfc:2246

#### X509Internal ####

#idp.authn.X509Internal.order = 1000
#idp.authn.X509Internal.nonBrowserSupported = false
#idp.authn.X509Internal.saveCertificateToCredentialSet = true
idp.authn.X509Internal.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
    saml1/urn:ietf:rfc:2246

#### IPAddress ####

#idp.authn.IPAddress.order = 1000
#idp.authn.IPAddress.passiveAuthenticationSupported = true
#idp.authn.IPAddress.lifetime = PT60S
#idp.authn.IPAddress.inactivityTimeout = PT60S
idp.authn.IPAddress.supportedPrincipals = \
   saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol

#### Function ####

#idp.authn.Function.order = 1000
#idp.authn.Function.passiveAuthenticationSupported = true
# Unset if you plan to return full Java Subject from function
#idp.authn.Function.addDefaultPrincipals = true

#### Duo ####

#idp.authn.Duo.order = 1000
#idp.authn.Duo.nonBrowserSupported = false
#idp.authn.Duo.forcedAuthenticationSupported = true
# Unset if you have advanced Duo integrations with individualized Principals
#idp.authn.Duo.addDefaultPrincipals = true
# The list below should be changed to reflect whatever locally- or
# community-defined values are appropriate to represent Duo. It is
# strongly advised that the value not be specific to Duo or any
# particular technology to avoid lock-in.
idp.authn.Duo.supportedPrincipals = \
    saml2/http://example.org/ac/classes/mfa, \
    saml1/http://example.org/ac/classes/mfa
# Default Duo integration settings are defined separately
# in duo.properties due to the sensitivity of the secret key.


#### SAML ####

#idp.authn.SAML.order = 1000
#idp.authn.SAML.nonBrowserSupported = false
#idp.authn.SAML.passiveAuthenticationSupported = true
#idp.authn.SAML.forcedAuthenticationSupported = true
#idp.authn.SAML.proxyScopingEnforced = true
# Discovery options:
#   Define shibboleth.authn.SAML.discoveryFunction bean
#   Set proxyEntityID property
#   Fall through to discovery via discoveryRequired property
#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth
#idp.authn.SAML.discoveryRequired = true
# Generally left false with bidirectional mappings in
# conf/authn/authn-comparison.xml across the proxy boundary.
# Adjust as needed to reflect IdP's capabilities/support.
#idp.authn.SAML.addDefaultPrincipals = false
#idp.authn.SAML.supportedPrincipals = \
#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
#    saml1/urn:oasis:names:tc:SAML:1.0:am:password

#### MFA ####

#idp.authn.MFA.order = 1000
#idp.authn.MFA.passiveAuthenticationSupported = true
#idp.authn.MFA.forcedAuthenticationSupported = true
#idp.authn.MFA.validateLoginTransitions = true
# The list below almost certainly requires changes, and should generally be the
# union of any of the separate factors you combine in your particular MFA flow
# rules. The example corresponds to the example in mfa-authn-config.xml that
# combines IPAddress with Password.
idp.authn.MFA.supportedPrincipals = \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
    saml1/urn:oasis:names:tc:SAML:1.0:am:password
# Most actual setup via mfa-authn-config.xml
import 2022-08-05 13:33:15 +00:00			`# Properties that control authentication generally and the behavior of`
			`# specific methods.`

			`# Regular expression matching login flows to enable, e.g. IPAddress\|Password`
prepare 2022-08-05 14:00:14 +00:00			`idp.authn.flows = RemoteUser`
import 2022-08-05 13:33:15 +00:00
			`# Default settings for most authentication methods.`
			`#idp.authn.defaultLifetime = PT1H`
			`#idp.authn.defaultTimeout = PT30M`
			`#idp.authn.proxyRestrictionsEnforced = true`

			`# Whether to populate relying party user interface information for display`
			`# during authentication, consent, terms-of-use.`
			`#idp.authn.rpui = true`

			`# Whether to prioritize "active" results when an SP requests more than`
			`# one possible matching login method (V2 behavior was to favor them)`
			`#idp.authn.favorSSO = false`

			`# Whether to fail requests when a user identity after authentication`
			`# doesn't match the identity in a pre-existing session.`
			`#idp.authn.identitySwitchIsError = false`

			`# If using IdP discovery feature, provides a discovery location to use.`
			`#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html`

			`# Properties below override specific method behavior, as an alternative`
			`# to defining Spring beans in XML. Refer to the documentation for a complete`
			`# list. Many of the properties below are mentioned only because they are`
			`# atypical defaults assumed for a given method.`

			`# Flow selection among multiple equivalent options can be managed with`
			`# the order properties, lower will be tried first.`

			`#### Password ####`

			`#idp.authn.Password.order = 1000`
			`#idp.authn.Password.passiveAuthenticationSupported = true`
			`#idp.authn.Password.forcedAuthenticationSupported = true`
			`# Override this and removeAfterValidation to require all validators to succeed`
			`#idp.authn.Password.requireAll = false`
			`# Override to keep the password around`
			`#idp.authn.Password.removeAfterValidation = true`
			`# Override to store password in Java Subject`
			`#idp.authn.Password.retainAsPrivateCredential = false`
			`# Simple username transforms before validation`
			`#idp.authn.Password.trim = true`
			`#idp.authn.Password.lowercase = false`
			`#idp.authn.Password.uppercase = false`
			`#idp.authn.Password.matchExpression =`
			`# Override default form field names`
			`#idp.authn.Password.usernameFieldName = j_username`
			`#idp.authn.Password.passwordFieldName = j_password`
			`#idp.authn.Password.ssoBypassFieldName = donotcache`
			`# Unset if using customized Principals per validator`
			`#idp.authn.Password.addDefaultPrincipals = true`
			`# The Principal collection below is the typical default if not otherwise noted.`
			`#idp.authn.Password.supportedPrincipals = \`
			`# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \`
			`# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \`
			`# saml1/urn:oasis:names:tc:SAML:1.0:am:password`
			`# Validators are controlled in password-authn-config.xml`

			`#### Password Backends ####`

			`# See ldap.properties for LDAP authn properties`
			`# Kerberos settings`
			`#idp.authn.Krb5.refreshConfig = false`
			`#idp.authn.Krb5.preserveTicket = false`
			`# Set next two for KDC verification`
			`#idp.authn.Krb5.servicePrincipal =`
			`#idp.authn.Krb5.keytab =`
			`# JAAS settings`
			`#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth`
			`#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config`

			`#### External ####`

			`#idp.authn.External.order = 1000`
			`#idp.authn.External.nonBrowserSupported = false`
			`#idp.authn.External.matchExpression =`
			`# Unset if you plan to return full Java Subject from external source`
			`#idp.authn.External.addDefaultPrincipals = true`
			`# Servlet context-relative path to wherever your implementation lives`
			`idp.authn.External.externalAuthnPath = contextRelative:external.jsp`

			`#### RemoteUser ####`

			`#idp.authn.RemoteUser.order = 1000`
			`#idp.authn.RemoteUser.nonBrowserSupported = false`
			`#idp.authn.RemoteUser.matchExpression =`
			`# Unset in most cases only if using the authnMethodHeader or`
			`# subjectAttribute settings`
			`#idp.authn.RemoteUser.addDefaultPrincipals = true`
			`# Most other settings need to be supplied via web.xml to the servlet`

			`#### RemoteUserInternal ####`

			`#idp.authn.RemoteUserInternal.order = 1000`
			`#idp.authn.RemoteUserInternal.nonBrowserSupported = true`
			`# Unset in most cases only if using the authnMethodHeader feature`
			`#idp.authn.RemoteUserInternal.addDefaultPrincipals = true`
			`#idp.authn.RemoteUserInternal.checkRemoteUser = true`
			`# Comma-delimited lists of attributes or headers to pull from`
			`#idp.authn.RemoteUserInternal.checkAttributes =`
			`#idp.authn.RemoteUserInternal.checkHeaders =`
			`# Simple transforms to apply`
			`#idp.authn.RemoteUserInternal.trim = true`
			`#idp.authn.RemoteUserInternal.lowercase = false`
			`#idp.authn.RemoteUserInternal.uppercase = false`
			`#idp.authn.RemoteUserInternal.matchExpression =`
			`#idp.authn.RemoteUserInternal.allowedUsernames =`
			`#idp.authn.RemoteUserInternal.deniedUsernames =`

			`#### SPNEGO ####`

			`#idp.authn.SPNEGO.order = 1000`
			`#idp.authn.SPNEGO.nonBrowserSupported = false`
			`#idp.authn.SPNEGO.enforceRun = false`
			`#idp.authn.SPNEGO.refreshKrbConfig = false`
			`#idp.authn.SPNEGO.matchExpression =`
			`idp.authn.SPNEGO.supportedPrincipals = \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \`
			`saml1/urn:ietf:rfc:1510`

			`#### X509 ####`

			`#idp.authn.X509.order = 1000`
			`#idp.authn.X509.nonBrowserSupported = false`
			`# Servlet context-relative path to wherever your implementation lives`
			`#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp`
			`idp.authn.X509.supportedPrincipals = \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \`
			`saml1/urn:ietf:rfc:2246`

			`#### X509Internal ####`

			`#idp.authn.X509Internal.order = 1000`
			`#idp.authn.X509Internal.nonBrowserSupported = false`
			`#idp.authn.X509Internal.saveCertificateToCredentialSet = true`
			`idp.authn.X509Internal.supportedPrincipals = \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \`
			`saml1/urn:ietf:rfc:2246`

			`#### IPAddress ####`

			`#idp.authn.IPAddress.order = 1000`
			`#idp.authn.IPAddress.passiveAuthenticationSupported = true`
			`#idp.authn.IPAddress.lifetime = PT60S`
			`#idp.authn.IPAddress.inactivityTimeout = PT60S`
			`idp.authn.IPAddress.supportedPrincipals = \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol`

			`#### Function ####`

			`#idp.authn.Function.order = 1000`
			`#idp.authn.Function.passiveAuthenticationSupported = true`
			`# Unset if you plan to return full Java Subject from function`
			`#idp.authn.Function.addDefaultPrincipals = true`

			`#### Duo ####`

			`#idp.authn.Duo.order = 1000`
			`#idp.authn.Duo.nonBrowserSupported = false`
			`#idp.authn.Duo.forcedAuthenticationSupported = true`
			`# Unset if you have advanced Duo integrations with individualized Principals`
			`#idp.authn.Duo.addDefaultPrincipals = true`
			`# The list below should be changed to reflect whatever locally- or`
			`# community-defined values are appropriate to represent Duo. It is`
			`# strongly advised that the value not be specific to Duo or any`
			`# particular technology to avoid lock-in.`
			`idp.authn.Duo.supportedPrincipals = \`
			`saml2/http://example.org/ac/classes/mfa, \`
			`saml1/http://example.org/ac/classes/mfa`
			`# Default Duo integration settings are defined separately`
			`# in duo.properties due to the sensitivity of the secret key.`


			`#### SAML ####`

			`#idp.authn.SAML.order = 1000`
			`#idp.authn.SAML.nonBrowserSupported = false`
			`#idp.authn.SAML.passiveAuthenticationSupported = true`
			`#idp.authn.SAML.forcedAuthenticationSupported = true`
			`#idp.authn.SAML.proxyScopingEnforced = true`
			`# Discovery options:`
			`# Define shibboleth.authn.SAML.discoveryFunction bean`
			`# Set proxyEntityID property`
			`# Fall through to discovery via discoveryRequired property`
			`#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth`
			`#idp.authn.SAML.discoveryRequired = true`
			`# Generally left false with bidirectional mappings in`
			`# conf/authn/authn-comparison.xml across the proxy boundary.`
			`# Adjust as needed to reflect IdP's capabilities/support.`
			`#idp.authn.SAML.addDefaultPrincipals = false`
			`#idp.authn.SAML.supportedPrincipals = \`
			`# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \`
			`# saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \`
			`# saml1/urn:oasis:names:tc:SAML:1.0:am:password`

			`#### MFA ####`

			`#idp.authn.MFA.order = 1000`
			`#idp.authn.MFA.passiveAuthenticationSupported = true`
			`#idp.authn.MFA.forcedAuthenticationSupported = true`
			`#idp.authn.MFA.validateLoginTransitions = true`
			`# The list below almost certainly requires changes, and should generally be the`
			`# union of any of the separate factors you combine in your particular MFA flow`
			`# rules. The example corresponds to the example in mfa-authn-config.xml that`
			`# combines IPAddress with Password.`
			`idp.authn.MFA.supportedPrincipals = \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \`
			`saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \`
			`saml1/urn:oasis:names:tc:SAML:1.0:am:password`
			`# Most actual setup via mfa-authn-config.xml`