import

conf/authn/authn.properties

@@ -0,0 +1,218 @@
+# Properties that control authentication generally and the behavior of
+# specific methods.
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+#idp.authn.flows = Password
+
+# Default settings for most authentication methods.
+#idp.authn.defaultLifetime = PT1H
+#idp.authn.defaultTimeout = PT30M
+#idp.authn.proxyRestrictionsEnforced = true
+
+# Whether to populate relying party user interface information for display
+# during authentication, consent, terms-of-use.
+#idp.authn.rpui = true
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = false
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# If using IdP discovery feature, provides a discovery location to use.
+#idp.authn.discoveryURL = https://ds.example.org/shibboleth-ds/index.html
+
+# Properties below override specific method behavior, as an alternative
+# to defining Spring beans in XML. Refer to the documentation for a complete
+# list. Many of the properties below are mentioned only because they are
+# atypical defaults assumed for a given method.
+
+# Flow selection among multiple equivalent options can be managed with
+# the order properties, lower will be tried first.
+
+#### Password ####
+
+#idp.authn.Password.order = 1000
+#idp.authn.Password.passiveAuthenticationSupported = true
+#idp.authn.Password.forcedAuthenticationSupported = true
+# Override this and removeAfterValidation to require all validators to succeed
+#idp.authn.Password.requireAll = false
+# Override to keep the password around
+#idp.authn.Password.removeAfterValidation = true
+# Override to store password in Java Subject
+#idp.authn.Password.retainAsPrivateCredential = false
+# Simple username transforms before validation
+#idp.authn.Password.trim = true
+#idp.authn.Password.lowercase = false
+#idp.authn.Password.uppercase = false
+#idp.authn.Password.matchExpression = 
+# Override default form field names
+#idp.authn.Password.usernameFieldName = j_username
+#idp.authn.Password.passwordFieldName = j_password
+#idp.authn.Password.ssoBypassFieldName = donotcache
+# Unset if using customized Principals per validator
+#idp.authn.Password.addDefaultPrincipals = true
+# The Principal collection below is the typical default if not otherwise noted.
+#idp.authn.Password.supportedPrincipals = \
+#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+#    saml1/urn:oasis:names:tc:SAML:1.0:am:password
+# Validators are controlled in password-authn-config.xml
+
+#### Password Backends ####
+
+# See ldap.properties for LDAP authn properties
+# Kerberos settings
+#idp.authn.Krb5.refreshConfig = false
+#idp.authn.Krb5.preserveTicket = false
+# Set next two for KDC verification
+#idp.authn.Krb5.servicePrincipal = 
+#idp.authn.Krb5.keytab = 
+# JAAS settings
+#idp.authn.JAAS.loginConfigNames = ShibUserPassAuth
+#idp.authn.JAAS.loginConfig = %{idp.home}/conf/authn/jaas.config
+
+#### External ####
+
+#idp.authn.External.order = 1000
+#idp.authn.External.nonBrowserSupported = false
+#idp.authn.External.matchExpression = 
+# Unset if you plan to return full Java Subject from external source
+#idp.authn.External.addDefaultPrincipals = true
+# Servlet context-relative path to wherever your implementation lives
+idp.authn.External.externalAuthnPath = contextRelative:external.jsp
+
+#### RemoteUser ####
+
+#idp.authn.RemoteUser.order = 1000
+#idp.authn.RemoteUser.nonBrowserSupported = false
+#idp.authn.RemoteUser.matchExpression = 
+# Unset in most cases only if using the authnMethodHeader or
+# subjectAttribute settings
+#idp.authn.RemoteUser.addDefaultPrincipals = true
+# Most other settings need to be supplied via web.xml to the servlet
+
+#### RemoteUserInternal ####
+
+#idp.authn.RemoteUserInternal.order = 1000
+#idp.authn.RemoteUserInternal.nonBrowserSupported = true
+# Unset in most cases only if using the authnMethodHeader feature
+#idp.authn.RemoteUserInternal.addDefaultPrincipals = true
+#idp.authn.RemoteUserInternal.checkRemoteUser = true
+# Comma-delimited lists of attributes or headers to pull from
+#idp.authn.RemoteUserInternal.checkAttributes = 
+#idp.authn.RemoteUserInternal.checkHeaders = 
+# Simple transforms to apply
+#idp.authn.RemoteUserInternal.trim = true
+#idp.authn.RemoteUserInternal.lowercase = false
+#idp.authn.RemoteUserInternal.uppercase = false
+#idp.authn.RemoteUserInternal.matchExpression = 
+#idp.authn.RemoteUserInternal.allowedUsernames = 
+#idp.authn.RemoteUserInternal.deniedUsernames = 
+
+#### SPNEGO ####
+
+#idp.authn.SPNEGO.order = 1000
+#idp.authn.SPNEGO.nonBrowserSupported = false
+#idp.authn.SPNEGO.enforceRun = false
+#idp.authn.SPNEGO.refreshKrbConfig = false
+#idp.authn.SPNEGO.matchExpression = 
+idp.authn.SPNEGO.supportedPrincipals = \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, \
+    saml1/urn:ietf:rfc:1510
+
+#### X509 ####
+
+#idp.authn.X509.order = 1000
+#idp.authn.X509.nonBrowserSupported = false
+# Servlet context-relative path to wherever your implementation lives
+#idp.authn.X509.externalAuthnPath = contextRelative:x509-prompt.jsp
+idp.authn.X509.supportedPrincipals = \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
+    saml1/urn:ietf:rfc:2246
+
+#### X509Internal ####
+
+#idp.authn.X509Internal.order = 1000
+#idp.authn.X509Internal.nonBrowserSupported = false
+#idp.authn.X509Internal.saveCertificateToCredentialSet = true
+idp.authn.X509Internal.supportedPrincipals = \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:X509, \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, \
+    saml1/urn:ietf:rfc:2246
+
+#### IPAddress ####
+
+#idp.authn.IPAddress.order = 1000
+#idp.authn.IPAddress.passiveAuthenticationSupported = true
+#idp.authn.IPAddress.lifetime = PT60S
+#idp.authn.IPAddress.inactivityTimeout = PT60S
+idp.authn.IPAddress.supportedPrincipals = \
+   saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol
+
+#### Function ####
+
+#idp.authn.Function.order = 1000
+#idp.authn.Function.passiveAuthenticationSupported = true
+# Unset if you plan to return full Java Subject from function
+#idp.authn.Function.addDefaultPrincipals = true
+
+#### Duo ####
+
+#idp.authn.Duo.order = 1000
+#idp.authn.Duo.nonBrowserSupported = false
+#idp.authn.Duo.forcedAuthenticationSupported = true
+# Unset if you have advanced Duo integrations with individualized Principals
+#idp.authn.Duo.addDefaultPrincipals = true
+# The list below should be changed to reflect whatever locally- or
+# community-defined values are appropriate to represent Duo. It is
+# strongly advised that the value not be specific to Duo or any
+# particular technology to avoid lock-in.
+idp.authn.Duo.supportedPrincipals = \
+    saml2/http://example.org/ac/classes/mfa, \
+    saml1/http://example.org/ac/classes/mfa
+# Default Duo integration settings are defined separately
+# in duo.properties due to the sensitivity of the secret key.
+
+
+#### SAML ####
+
+#idp.authn.SAML.order = 1000
+#idp.authn.SAML.nonBrowserSupported = false
+#idp.authn.SAML.passiveAuthenticationSupported = true
+#idp.authn.SAML.forcedAuthenticationSupported = true
+#idp.authn.SAML.proxyScopingEnforced = true
+# Discovery options:
+#   Define shibboleth.authn.SAML.discoveryFunction bean
+#   Set proxyEntityID property
+#   Fall through to discovery via discoveryRequired property
+#idp.authn.SAML.proxyEntityID = https://idp.example.org/idp/shibboleth
+#idp.authn.SAML.discoveryRequired = true
+# Generally left false with bidirectional mappings in
+# conf/authn/authn-comparison.xml across the proxy boundary.
+# Adjust as needed to reflect IdP's capabilities/support.
+#idp.authn.SAML.addDefaultPrincipals = false
+#idp.authn.SAML.supportedPrincipals = \
+#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+#    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+#    saml1/urn:oasis:names:tc:SAML:1.0:am:password
+
+#### MFA ####
+
+#idp.authn.MFA.order = 1000
+#idp.authn.MFA.passiveAuthenticationSupported = true
+#idp.authn.MFA.forcedAuthenticationSupported = true
+#idp.authn.MFA.validateLoginTransitions = true
+# The list below almost certainly requires changes, and should generally be the
+# union of any of the separate factors you combine in your particular MFA flow
+# rules. The example corresponds to the example in mfa-authn-config.xml that
+# combines IPAddress with Password.
+idp.authn.MFA.supportedPrincipals = \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol, \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, \
+    saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:Password, \
+    saml1/urn:oasis:names:tc:SAML:1.0:am:password
+# Most actual setup via mfa-authn-config.xml